tcpdump is a widely know and used tool that can be used to look at management port traffic directly on the Security Analytics appliance without having to hook up a secondary workstation to the network.

How to capture the traffic

If you need to sniff traffic on eth0 for debugging purposes on your Security Analytics appliance, log in as root via SSH and run the following command:

tcpdump -s 65535 -w debug.pcap -n -S -i eth0
 
Let it run as long as you need to capture traffic and then press CTRL + C to stop the capture.  It will report how many packets were received.

From the same prompt, you can then import the debug.pcap file using dspcapimport:

dspcapimport -i impt1 -f debug.pcap -t 1 -s 1 -v
 
You should get a summary of how many bytes were written and how many packets were imported.


How to analyze the traffic in SA

Log in to the Security Analytics UI and locate your imported pcap by going to the Capture > Import PCAP screen.  The import source should be USB and the Interface should be impt1.  From there, you can click on one of the icons under Actions to perform further investigation.


Other useful syntax for enhanced filtering can be found at http://danielmiessler.com/study/tcpdump/  Of course you can also enter “man tcpdump” from the command line to get the details on the switches.

For example, if you only want to capture DNS traffic from port 53, modify your tcpdump command as follows:

tcpdump -s 65535 -w debug.cap -n -S -i eth0 port 53
 
If you want to read the file from the command line or grep through it before you import it into SA, you can use this command:

tcpdump -nnvvXSs 65535 -r debug.pcap | grep string