Record network traffic or gather a packet capture (PCAP) from the SEDR Appliance
search cancel

Record network traffic or gather a packet capture (PCAP) from the SEDR Appliance

book

Article ID: 178946

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

A network traffic recording or packet capture (PCAP) may be needed to troubleshoot network communications issues with Endpoint Detection and Response (EDR) appliance.

The two commands are:

Environment

In order to capture the tcp stream on an SEDR appliance, you will need to know which interface to record. Here is a table showing the different ports based on the Appliance model and Virtual Machine (VM):

Appliance model Hardware version Management port Monitor1 / WAN 1 Monitor2 / LAN 1 Monitor3 / WAN 2 Monitor4 / LAN 2
8880 R730 eth0 eth7 eth6 eth5 eth4
8880 R720 eth0 eth7 eth6 eth5 eth4
8840 R330 eth0 eth3 eth2 N/A N/A
8840 R220 eth0 eth2 eth3 N/A N/A
VM N/A eth0 eth1 eth2 N/A N/A

Resolution

Once you have determined which ethernet port you will be capturing, you run the tcpdump command. If you want to capture all network traffic, you can use the '--interface all' argument.

Example:

       tcpdump -i eth0 -w /home/admin/transfers/capture.pcap

                                  or

       tcpdump --interface all -w /home/admin/transfers/capture.pcap

 

Packet capture begins immediately after executing the command.  To stop the capture after duplicating the issue, simply by press CTRL-C

.ll packets traversing that ethernet port. After you have reproduced the issue or run the test you needed, press Ctrl-C to stop the capture. If you need to run other CLI commands, you can open a duplicate SSH session and run those in the other session while the capture is running.

To copy the captures to a local SCP server in their environment, you can use the getpcap command as explained in the Endpoint Detection and Response Administration Guide and online Help.

getpcap command:

Description: Copy *.pcap files from /home/admin on an appliance to a remote host running sshd. A .pcap file is a text file output from the tcpdump command, and can be used to analyze tcp/ip traffic.

Option      Description
<user>      Specify a user on a remote host. You are prompted to enter the password for that user.
 <host>      Specify the host name, FQDN, or IP address of the remote host.
<path>      Specify the path on the remote host for the .pcap files.

Example:         getpcap [email protected]:~/pcaps/

The files will then be uploaded to provided server. You can then open them in a packet capture analysis tool such as Wireshark.

SEDR 4.2 and later:

Starting with SEDR 4.2, you can now save the pcap file to the /home/admin/transfers folder. Here is an example tcpdump command:

      tcpdump -i eth4 -w /home/admin/transfers/capture.pcap

                                   or

      tcpdump -i any -w /home/admin/transfers/capture.pcap

Once the capture is ended, you can navigate to Settings -> Global to download the file. Scroll to the bottom and choose Download, then provide the pcap file name (capture.pcap in the above example).

Additional Information

 

 

Powered by Wolken Software