Configuration Guide

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Contents Contents .......................................................................................................................................... 1 Overview.......................................................................................................................................... 1 PCAP feature .............................................................................................................................. 2 Configuration and capture ............................................................................................................... 4 Enabling the capture globally ...................................................................................................... 5 Adding a new capture object....................................................................................................... 6 Configuring capture object .......................................................................................................... 7 Setting the Direction................................................................................................................ 7 Setting the Filter...................................................................................................................... 7 Setting the Length................................................................................................................... 8 Setting the Persistence (tunnels only) .................................................................................... 8 Setting the Promiscuous Mode (FastEthernet only) ............................................................... 9 Setting the Remote IP (tunnels only) ...................................................................................... 9 Setting the Trigger .................................................................................................................. 9 Setting the Type (tunnels only) ............................................................................................. 10 Setting the User ID (tunnels only)......................................................................................... 11 Setting the Wrapping parameter........................................................................................... 11 Exiting the capture configuration mode ................................................................................ 11 Starting, Stopping and Clearing the capture ............................................................................. 11 Checking the Status and Saving the capture............................................................................ 12 Deleting the capture object ....................................................................................................... 14 Disabling capture globally ......................................................................................................... 14 Transferring, opening and viewing the capture......................................................................... 15 Sample capture configurations ...................................................................................................... 17 Setup ......................................................................................................................................... 17 General capture configuration................................................................................................... 18 PCAP using defaults on physical interfaces ............................................................................. 20 PCAP using triggers on physical interfaces .............................................................................. 24 PCAP on the physical interfaces using Filters and Direction .................................................... 28 PCAP on Global/Raw IP in mixed environment of tunnels and private physical interfaces...... 32 PCAP on tunnel using user ID .................................................................................................. 36 PCAP on tunnel using Remote IP ............................................................................................. 40

Overview One of the ways to troubleshoot network problems is to use a device such as sniffer to capture traffic traversing the network. In conjunction with logs, statistics and debugging information captured traces could help an engineer to find the source of the problem and its resolution. Many devices such as routers, servers, workstations have the packet capture implemented in software that eliminates the need for the external sniffer. The use of an external device might disrupt live network or the device might not be capable of decoding encrypted traffic which is important for troubleshooting VPN networks. Software based capture can be easily turned on or off at any time during the device operation without interfering with the network the device is connected to. CG031208

2.00

April 2004

Page: 1 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) With the introduction of the V04_85 release Contivity product line has the capturing capabilities that are implemented through the PCAP feature.

PCAP feature PCAP feature on Contivity allows engineer to perform the following tasks: • Simultaneous capture of network traffic on different sources: o Traffic passing via physical interface (Ethernet, serial, ISDN, V.90, Async PPP, ADSL, T1, T3, etc.); o Traffic on Ethernet not directed to Contivity (promiscuous mode) o Traffic being passed on Branch Office tunnel o Traffic being passed on user tunnels • Limiting the traffic to be captured by using traffic filters; • Setting triggers for automatic start and stop of the capture; • Encrypting the captured traffic with DES56 or AES128 when saving the capture to the disk to prevent unauthorized monitoring of the secure IP traffic. • Password protected mode for capturing traffic; With Contivity being a security device capturing capabilities are enabled only via console port, this way only the onsite qualified personal will have the access to the feature, no intruder from the outside will be able to log in to Contivity gateway and enable the capture. For security reasons in order to enable a capture administrator’s password for Contivity gateway must be changed from its default value (setup). Moreover the capture itself is protected by the password selected by administrator when the capture is enabled. When capture is written to the file on a disk it will be encrypted with the selected capture password. The selected password is not stored on the Contivity and cannot be retrieved in any way. This ensures that only the administrator who enabled the capture will be able to decrypt the capture later on. To further secure the capture DES56 or AES128 are used to encrypt capture files. Encryption depends on the Contivity model, if Contivity has a key less then 128 DES56 is used for the encryption, otherwise the AES128 is used. A tool called openpcap is developed to open encrypted capture files. Openpcap prompts for a password for the capture and decrypts it, so the capture could be later analyzed using Ethereal, Sniffer Pro or similar software. For performance reasons once capturing is started, packets are saved into the PCAP buffer in memory and not written to the disk until the capture is stopped and saved to disk.

CG031208

2.00

April 2004

Page: 2 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Starting with code release version V04_90, once PCAP feature is enabled, it remains enabled until specifically disabled by the administrator. NOTE: In previous release (V04_85), once PCAP feature was enabled, it remained enabled until either administrator disables it or until a system reboot, whichever comes first. As mentioned earlier the capture could be started on any of the interfaces (or sources) – Ethernet, WAN link, Branch Office tunnel, user tunnel, etc. Only one capture on a particular interface can be running at a time, but multiple captures on different interfaces could be running at the same time. This limitation saves Contivity performance. Capture could be enabled for the incoming traffic, outgoing traffic or both. This way the administrator can control the direction of the traffic to be captured. To reduce the overhead only the interesting traffic could be captured using existing Contivity filters. Note: Only IP filters could be used. Existing filters could be used as triggers to start or stop the capture. Once the condition of the filter is met the capture is started or stopped. Triggers only work in the direction in which the capture is enabled. For example, if the capture is globally enabled for the outgoing traffic only and the packet satisfying the filter condition is received with the incoming traffic this will not trigger the capture. Stop trigger will be executed only if the start trigger has been previously executed, in order words the stop trigger can only be issued if capturing has been started. Note: Enabling PCAP feature will have the impact on Contivity performance. Therefore it must be used with care and for troubleshooting purposes only. The impact can be reduced by capturing less data (only first n bytes of the packet), or capturing only interesting traffic using triggers and filters.

CG031208

2.00

April 2004

Page: 3 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP)

Configuration and capture As mention in the Overview section PCAP feature is used for the troubleshooting purposes only and therefore could be enabled via the console CLI only. To start configuration connect to the Contivity through the console port. Log in to the Contivity using HyperTerminal (or similar) software (Auto detect 9600/8-N-1): Welcome to the Contivity Secure IP Services Gateway Copyright (c) 1999-2003 Nortel Networks, Inc. Version: Creation date:

V04_85.XXX Oct 21 2003, 11:55:12

Date: Unit Serial Number:

10/27/2003 19696

Please enter the administrator's user name: admin Please enter the administrator's password: <password> Once logged in, the menu appears. Select option L (upper or lowercase) to enter the CLI: Main Menu: 1) 2) 3) 4) 5) 6) 7) 8) 9) B) P) C) L) R) E)

System is currently in NORMAL mode.

Interfaces Administrator Default Private Route Menu Default Public Route Menu Create A User Control Tunnel(IPsec) Profile Restricted Management Mode FALSE Allow HTTP Management TRUE Firewall Options Shutdown System Boot Options Configure Serial Port Controlled Crash Command Line Interface Reset System to Factory Defaults Exit, Save and Invoke Changes

Please select a menu choice (1 - 9,B,P,C,L,R,E): l CES>

CG031208

2.00

April 2004

Page: 4 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Enter the privileged mode: CES>enable Password: CES# If the administrator’s default password (setup) has been used, change the password via GUI or CLI. To change the password via CLI, enter the configuration mode: CES#configure terminal Enter configuration commands, one per line.

End with Ctrl/z.

Enter the new password for the administrator: CES(config)#adminname admin password Exit the configuration mode to save the changes: CES(config)#exit CES# The administrator will now have a new password.

Enabling the capture globally To enable the capture globally enter the capture enable command. Once prompted enter the password for the capture. Password should be at least 8 characters long and contain at least one number in it. Note: The password is not visible on the screen. Example: CES#capture enable Please specify password for encrypting capture files. Password: ******** Reenter password: ******** CES# If the password for the capture is too simple the following error message appears and the password should be reentered: Example: CES#capture enable Please specify password for encrypting capture files. Password: ** Reenter password: ** % Weak password! Please try again.

CG031208

2.00

April 2004

Page: 5 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) To disable the capture enter the no capture enable command: CES#no capture enable CES# Note: No other capture command is available until PCAP is enabled globally. Once PCAP has been enabled globally via console, the feature could be managed through console or telnet session.

Adding a new capture object There are no captures defined on the Contivity by default. To define a new capture enter the capture add <source> <size> command, where is name for the capture to be defined; <source> is the interface the capture should be taken on – bri slot/port, dial slot/port, FastEthernet slot/port, GigabitEthernet slot/port, global, serial slot/port, tunnel. With V04_90 capturing on atm slot/port (ADSL) interface was added; <size> is the number of octets to allocate for the capture. If not specified the default 1MB is allocated, enter a value between 32768 and 268435456. Example: To view the possible sources for the capture: CES#capture add nameOfTheCapture ? atm ATM interface capture bri Bri interface capture dial Dial interface capture FastEthernet Fast Ethernet interface capture GigabitEthernet Gigabit Ethernet interface capture global Global RAW IP capture serial Serial interface capture tunnel Tunnel capture For example, to set the capture for the FastEthernet interface on slot 0 port 1 with the capture size of 32768: CES#capture add nameOfTheCapture FastEthernet 0/1 size 32768 Note: Global and Tunnel choice do not have the slot/port reference.

CG031208

2.00

April 2004

Page: 6 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Configuring capture object To enter the configuration mode for the capture issue the capture command, where is the name of the capture to be configured. Note: The capture object must first be created. Example: CES#capture nameOfTheCapture CES(capture-ethernet)#

Setting the Direction The direction { inbound | outbound } command in the capture configuration mode sets the direction for the traffic to be captured. If no direction is specified, the capture for both directions will be taken. Set the direction to inbound to capture incoming traffic. Set the capture to outbound to capture outgoing traffic. The no form negates the set previously direction and sets the direction to default both directions. Note: The capture must not be running in order to set a new direction, in order words the capture cannot change direction on the fly. Example: CES(capture-ethernet)#direction inbound CES(capture-ethernet)# CES(capture-ethernet)#direction outbound CES(capture-ethernet)# CES(capture-ethernet)#no direction CES(capture-ethernet)#

Setting the Filter The filter command sets the filter to be applied to the traffic to be captured. This command allows to capture only the interesting traffic. Note: The filter should exist on Contivity in order to apply it to the capture. For information on how to configure filters on Contivity consult Configuration Guide - Contivity Interface and Tunnel Filters. Note: The capture cannot be applied to the currently running capture. To apply the filter, stop the capture first. The no form of the command negates the command, therefore setting the default capture all behavior. Examples:

CG031208

2.00

April 2004

Page: 7 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) CES(capture-ethernet)#filter "permit ping" CES(capture-ethernet)# CES(capture-ethernet)#no filter CES(capture-ethernet)#

Setting the Length To set the length of each packet to be captured issue the length <size> command, where size is the number of octets to be captured. Enter the number between 64 and 4096 (default is set to 4096). The no form negates the command, therefore setting the length to the default value of 4096. Example: CES(capture-ethernet)#length 1024 CES(capture-ethernet)# CES(capture-ethernet)#no length CES(capture-ethernet)#

Setting the Persistence (tunnels only) The capture of tunnel traffic (BO, ABOT, user tunnels) is stopped by default as soon as tunnel is disconnected. If there is a need to restart the capture when another tunnel with the matching criteria is established the persistence could be enabled for the tunnel. To enable persistence in capture issue the persistent enable command. The no form of the commend disables the persistence. Examples: CES(capture-tunnel)#persistent enable CES(capture-tunnel)# CES(capture-tunnel)#no persistent enable CES(capture-tunnel)#

CG031208

2.00

April 2004

Page: 8 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Setting the Promiscuous Mode (FastEthernet only) To enable the promiscuous mode on the FastEthernet interface issue the promiscuous enable command. Use the no form of the command to disable the promiscuous mode (default behavior): CES(capture-ethernet)#promiscuous enable CES(capture-ethernet)# CES(capture-ethernet)#no promiscuous enable CES(capture-ethernet)#

Setting the Remote IP (tunnels only) To set the remote IP address as a criteria for tunnel traffic capture issue the remoteip When this parameter is set the tunnel traffic from the specified remote IP only are captured. Use the no form to remove the criteria and return the default capture tunnel traffic from any remote IP address behavior. Examples: CES(capture-tunnel)#remoteip 192.168.100.1 CES(capture-tunnel)# CES(capture-tunnel)#no remoteip CES(capture-tunnel)#

Setting the Trigger To set the start or stop trigger for traffic capturing use the trigger { start | stop } command. Note: The only existing interface filter could be used as a trigger. For information on how to configure filters on Contivity consult Configuration Guide - Contivity Interface and Tunnel Filters. If no start trigger is set the system will start saving packets as soon as the capture is started. Start trigger makes the system wait for a specific packet defined in the filter and starts the capture as soon as the packet is received. Stop trigger stops the packets when the defined in the filter packet is received. Note: Once the stop trigger condition is met the start trigger could start the capture again. This allows to capture specific transaction oriented traffic. Trigger could be used in conjunction with filters for even greater flexibility. The no form of the command removes the start, stop or both triggers. Examples: CES(capture-tunnel)#trigger start "permit Telnet" CES(capture-tunnel)# CES(capture-tunnel)#trigger stop "permit FTP" CES(capture-tunnel)# CES(capture-tunnel)#no trigger start CES(capture-tunnel)# CES(capture-tunnel)#no trigger stop

CG031208

2.00

April 2004

Page: 9 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) CES(capture-tunnel)# CES(capture-tunnel)#no trigger CES(capture-tunnel)#

Setting the Type (tunnels only) To set the tunnel type as the criteria for tunnel capturing use the type {any | initiator | peer2peer | responder | user } {ipsec | l2f |l2tp | pptp} command. Where: any – sets the tunnel type to be captured to any (the default behavior); initiator – capture ABOT initiators only; peer2peer – capture Peer-to-Peer tunnels only; responder – capture ABOT responder tunnels only; user – capture user tunnels only; ipsec – capture IPSec tunnels only; l2f – capture L2F tunnels only; l2tp – capture L2TP tunnels only; pptp – capture PPTP tunnels only. The no form of the command sets the default behavior of capture any tunnel. Examples: CES(capture-tunnel)#type initiator l2tp CES(capture-tunnel)# CES(capture-tunnel)#type user ipsec CES(capture-tunnel)# CES(capture-tunnel)#no type CES(capture-tunnel)#

CG031208

2.00

April 2004

Page: 10 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Setting the User ID (tunnels only) To set the User ID is the criteria for the tunnel traffic capture use the userid command, where is the id of the user. If set, capture is taken on the tunnel with specified user ID. If not set, the default capture tunnel with any user ID behavior is used. The no form of the command sets the default behavior. Examples: CES(capture-tunnel)#userid user1 CES(capture-tunnel)# CES(capture-tunnel)#no userid CES(capture-tunnel)#

Setting the Wrapping parameter To allow the captured traffic to be written over the previously written capture in case of buffer overfull use the wrapping enable command. When this parameter is enabled, capture will not stop when the capture buffer is full, instead it’ll write the date over the old capture. This allows to run the capture constantly regardless of buffer size. The no form of the command disables the parameter thus stopping the capture when the buffer is full (default behavior). Examples: CES(capture-tunnel)#wrapping enable CES(capture-tunnel)# CES(capture-tunnel)#no wrapping enable CES(capture-tunnel)#

Exiting the capture configuration mode To exit the capture configuration mode and save the capture configuration use the exit command: CES(capture-ethernet)#exit CES#

Starting, Stopping and Clearing the capture To start the configured capture object use the capture start command, where is the name of the capture object. Note: The capture object must be create prior to starting it. Example: CES#capture nameOfTheCapture start CES# To stop the capture use the capture stop command, where is the name of the capture object running.

CG031208

2.00

April 2004

Page: 11 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Example: CES#capture nameOfTheCapture stop CES# To clear the contents of a particular capture use the clear capture command, where is the name of the capture object to be cleared. Example: CES#clear capture nameOfTheCapture CES#

Checking the Status and Saving the capture To check the status on a capture use the show capture command, where is the name of the capture object. Examples: CES#show capture tunnel Capture state: Capture buffer size: Capture type: Restarting capture on tunnel logoff: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped:

EMPTY 1048576 TUNNEL DISABLED 4096 0 0% BIDIRECTIONAL DISABLED FALSE

CES#show capture nameOfTheCapture Capture state: Capture buffer size: Capture type: Capturing on interface: Promiscuous mode is: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped:

RUNNING 32768 ETHERNET FastEthernet 0/1 DISABLED 4096 29 84% BIDIRECTIONAL DISABLED FALSE

CES#show capture nameOfTheCapture Capture state: Capture buffer size: Capture type: Capturing on interface: Promiscuous mode is: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction:

BUFFER FULL 32768 ETHERNET FastEthernet 0/1 DISABLED 4096 33 100% BIDIRECTIONAL

CG031208

2.00

April 2004

Page: 12 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Capture buffer wrapping: Capture buffer wrapped:

DISABLED FALSE

CES#show capture tunnel2 Capture state: Capture buffer size: Capture type: Restarting capture on tunnel logoff: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped:

STOPPED 1048576 TUNNEL DISABLED 4096 0 0% BIDIRECTIONAL DISABLED FALSE

To view the list of all configured capture objects use the show capture command: CES#show capture Name global nameOfTheCapture tunnel CES#

Type GLOBAL ETHERNET TUNNEL

Size Buffer use Count 1048576 0% 0 32768 100% 33 1048576 0% 0

State EMPTY BUFFER FULL STOPPED

Note: None of these capture objects are saved to the disk yet, they all are stored in memory until they are specifically saved. To save a capture to a disk, use the capture save . Example: CES#capture nameOfTheCapture save file.cap Saving capture nameOfTheCapture to file /ide0/file.cap please wait . . . 28 frames written successfully CES#

CG031208

2.00

April 2004

Page: 13 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Deleting the capture object Once the capture object is not needed, the memory used for storing the capture object should be freed to save on the Contivity performance. To delete the capture object and free memory use the no capture command. Example: CES#no capture captureName CES# Note: When capture is globally disabled by issuing the no capture enable command, all of the capture objects are removed from memory.

Disabling capture globally PCAP feature could be disabled globally from the console only. To disable capture globally use the following command: CES#no capture enable If there was an attempt to disable capture via telnet a warning is displayed, stating that packet capture could be disabled from the console only: % Packet capture must be disabled from the console port.

CG031208

2.00

April 2004

Page: 14 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Transferring, opening and viewing the capture The saved capture could be transferred from the Contivity gateway using FTP (make sure to use binary mode for transferring). Download the appropriate capture file from the Contivity. Example: D:\tmp\pcap>ftp 192.168.50.90 Connected to 192.168.50.90. 220 FTP server ready User (192.168.50.90:(none)): admin 331 Password required Password: 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> get FILE.CAP 200 Port set okay 150 Opening BINARY mode data connection 226 Transfer complete ftp: 2532 bytes received in 0.15Seconds 16.88Kbytes/sec. ftp> quit 221 Bye...see you later Once the capture is transferred to the machine it’s going to be analyzed on, use the openpcap tool to decrypt the captured trace. Use the openpcap <encrypted capture file> <decrypted capture file> command. Example: D:\tmp\openpcap\128>openpcap.exe FILE.CAP outFILE.cap Password: Åenter the selected capture password (password entered when the capture was globally enabled)

CG031208

2.00

April 2004

Page: 15 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Once captured trace has been decrypted it could be opened with the software like Ethereal or Sniffer Pro.

NOTE: If software used to analyze the trace does not understand the format of the trace (Sniffer Pro, for example) a conversion might be needed. Use editcap utility in DOS to convert a saved capture to a network general format, for example: editcap -T ether -F ngsniffer d:\pcapfiles\bot_1.cap bot_1.enc If capture was on a tunnel or on Ethernet use .enc extension. If the capture was on WAN use .syc extension. If the capture was on a tunnel or global IP, then need to set FORCE protocol option on Sniffer PRO to correctly read IP frames.

CG031208

2.00

April 2004

Page: 16 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP)

Sample capture configurations Setup 192.168.10.0/24

192.168.100.0/24

IPSec Peer-toPeer BO

CES1

192.168.20.0/24

CES2

PC WS CES1 – Contivity Secure IP Services Gateway, code version V04_80, management IP 192.168.10.1/24, private IP 192.168.10.10/24, public IP 192.168.100.1; CES2 - Contivity Secure IP Services Gateway, code version V04_85, management IP 192.168.20.2/24, private IP 192.168.20.20/24, public IP 192.168.100.2/24; WS - Windows 2000 workstation with the Contivity VPN Client installed on it, IP 192.168.100.7/24 PC – Windows 2000 workstation on the CES2 private side, IP 192.168.20.7/24. Note: This configuration assumes that CES1 and CES2 are successfully configured for the Peerto-Peer IPSec branch office, CES2 is configured to accept user tunnel from the WS and WS is configured to initiate the user tunnel to CES2. In all sample configurations CES2 will have the capture enabled. Note: The sample configurations in this document are given for the capture object configuration only. For information on how to configure branch office tunnel or user tunnel, consult the appropriate documentation.

CG031208

2.00

April 2004

Page: 17 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) General capture configuration Make sure the default password for the administrator on CES2 has been changed. If it’s not changed, change it. For example, to change the administrator’s password from default “setup” to “test” via CLI: Log in to the Contivity: Welcome to the Contivity Secure IP Services Gateway Copyright (c) 1999-2003 Nortel Networks, Inc. Version: Creation date:

V04_85.XXX Oct 21 2003, 11:55:12

Date: Unit Serial Number:

10/28/2003 19696

Please enter the administrator's user name: admin Please enter the administrator's password: Select the option L on the menu: Main Menu: 1) 2) 3) 4) 5) 6) 7) 8) 9) B) P) C) L) R) E)

System is currently in NORMAL mode.

Interfaces Administrator Default Private Route Menu Default Public Route Menu Create A User Control Tunnel(IPsec) Profile Restricted Management Mode FALSE Allow HTTP Management TRUE Firewall Options Shutdown System Boot Options Configure Serial Port Controlled Crash Command Line Interface Reset System to Factory Defaults Exit, Save and Invoke Changes

Please select a menu choice (1 - 9,B,P,C,L,R,E): l Enter the privilege configuration mode: CES>enable Password:

CG031208

2.00

April 2004

Page: 18 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Enter the configuration mode: CES#conf t Enter configuration commands, one per line.

End with Ctrl/z.

Configure the password (test) for the administrator: CES(config)#adminname admin password test CES(config)#exit CES# To change the administrator’s password from default “setup” to “test” via GUI: Navigate AdminÆAdministrator. Type in new password in the Password text box, Confirm Password and click OK at the bottom of the screen:

Once password for the administrator has been changed, log in CES2 via console port using terminal software like HyperTerminal and enter the privilege mode as described above.

CG031208

2.00

April 2004

Page: 19 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Once in the privileged mode enable the capture globally. Enter the password (1qazxsw2 was used as a password in this example) to protect the capture: CES#capture enable Please specify password for encrypting capture files. Password: ******** Reenter password: ******** CES#

PCAP using defaults on physical interfaces Let’s create a capture object on FastEthernet interface with the default capture settings in it. Create a capture object (test-fast) for FastEthernet 0/1 with the default capture size (1M): CES#capture add test-fast fastEthernet 0/1 CES# Start the capture for the created capture object: CES#capture test-fast start Ping from CES2 to WS on the CES2 private side: CES#ping 192.168.20.7 PING 192.168.20.7: 36 data bytes 64 bytes from 192.168.20.7: icmp_seq=0. time=<16 ms 64 bytes from 192.168.20.7: icmp_seq=1. time=<16 ms 64 bytes from 192.168.20.7: icmp_seq=2. time=<16 ms 64 bytes from 192.168.20.7: icmp_seq=3. time=<16 ms ----192.168.20.7 PING Statistics---4 packets transmitted, 4 packets received, 0% packet loss round-trip (ms) min/avg/max = <16/<16/<16 CES#

Stop the capture: CES#capture test-fast stop CES#

CG031208

2.00

April 2004

Page: 20 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Check the status of the capture: CES#show cap test-fast Capture state: Capture buffer size: Capture type: Capturing on interface: Promiscuous mode is: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped:

STOPPED 1048576 ETHERNET FastEthernet 0/1 DISABLED 4096 10 0% BIDIRECTIONAL DISABLED FALSE

Save the capture in to the file (test1.cap) on disk: CES#capture test-fast save test1.cap Saving capture test-fast to file /ide0/test1.cap please wait . . . 10 frames written successfully CES# The file is saved to the disk. Note the presence of saved file: CES#dir Directory of /ide0/

/ide0/ 379020

948 CES#

CG031208

2.00

TUE TUE MON MON TUE WED FRI WED WED WED MON FRI

OCT OCT OCT OCT OCT OCT SEP SEP SEP SEP AUG OCT

28 28 27 27 28 01 19 03 24 24 18 24

April 2004

14:24:55 14:24:55 10:01:16 10:01:44 14:31:12 16:22:38 14:24:20 09:28:00 10:22:20 10:00:22 15:34:54 10:03:10

2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003

. .. BOOTROM.SYS SYSTEM TEST1.CAP V03_50.44 V04_00.881 V04_05.070 V04_70.120 V04_75.124 V04_80.058 V04_80.124

Page: 21 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Enable FTP on CES2 via CLI or GUI, in this example we’ll do it through the CLI as we already in the privilege mode. Enter the configuration mode: CES#conf t Enter configuration commands, one per line. CES(config)#

End with Ctrl/z.

Enable the FTP and exit the configuration mode: CES(config)#ftp-server enable CES(config)#exit CES# From the PC on the CES2 private side download the capture from the CES2: D:\tmp\openpcap\128>ftp 192.168.20.2 Connected to 192.168.20.2. 220 FTP server ready User (192.168.20.2:(none)): admin 331 Password required Password: 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> get test1.cap 200 Port set okay 150 Opening BINARY mode data connection 226 Transfer complete ftp: 948 bytes received in 0.00Seconds 948000.00Kbytes/sec. ftp> quit 221 Bye...see you later Run the openpcap tool to decrypt the capture. When asked enter the password selected for the capture protection (1qazxsw2 in this example): D:\tmp\openpcap\128>openpcap.exe test1.cap outTest1.cap Password:

CG031208

2.00

April 2004

Page: 22 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) This will create the decrypted capture named outTest1.cap: D:\tmp\openpcap\128>dir Volume in drive D has no label. Volume Serial Number is 9B29-6769 Directory of D:\tmp\openpcap\128 10/28/2003 10/28/2003 06/19/2003 10/28/2003 10/28/2003

01:49p . 01:49p .. 06:33p 35,840 openpcap.exe 01:59p 910 outTest1.cap 01:57p 948 test1.cap 3 File(s) 37,698 bytes 2 Dir(s) 1,204,814,389 bytes free

Open the decrypted capture outTest1.cap with Ethereal or similar program. Note the captured ping:

CG031208

2.00

April 2004

Page: 23 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) PCAP using triggers on physical interfaces Let’s configure the capture object with ftp traffic as the start trigger and telnet traffic as the stop trigger. Note: The filters used in this sample configuration are per-defined on any Contivity. If there is a need for a new filter it should be created and configured prior to capture configuration. Prior to capture configuration we need to enable Telnet on CES2. FTP has been enabled in the previous example. We will enable Telnet via CLI: Enter the configuration mode: CES#configure terminal Enter configuration commands, one per line. CES(config)#

End with Ctrl/z.

Enable Telnet on CES2 and exit configuration mode: CES(config)#telnet enable CES(config)#exit CES# Create a new capture object (test-trigger) on the FastEthernet interface: CES#capture add test-trigger fastEthernet 0/1 CES# Enter the capture configuration mode for the created capture (test-trigger): CES#capture test-trigger CES(capture-ethernet)# Set the trigger to start capture when FTP traffic arrives: CES(capture-ethernet)#trigger start "permit FTP" CES(capture-ethernet)# Set the trigger to stop capture when Telnet traffic arrives: CES(capture-ethernet)#trigger stop "permit Telnet" CES(capture-ethernet)# Exit the capture configuration mode : CES(capture-ethernet)#exit CES#

CG031208

2.00

April 2004

Page: 24 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Start the capture for the configured object: CES#capture test-trigger start Issue a continuous ping from the PC to the CES2: C:\>ping 192.168.20.2 -t Pinging 192.168.20.2 with 32 bytes of data: Reply from 192.168.20.2: bytes=32 time<10ms TTL=64 … Check the status of the capture. Note that number of captured frames is zero and the Start trigger discards received packets as the start has not been triggered by the ICMP traffic. Also note the applied start and stop triggers: CES#show capture test-trigger Capture state: Capture buffer size: Capture type: Capturing on interface: Promiscuous mode is: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped: Start trigger applied: Start trigger discards: Stop trigger applied: CES#

RUNNING 1048576 ETHERNET FastEthernet 0/1 DISABLED 4096 0 0% BIDIRECTIONAL DISABLED FALSE permit FTP 108 permit Telnet

Start the ftp session from PC to CES2: D:\tmp\openpcap\128>ftp 192.168.20.2 Connected to 192.168.20.2. 220 FTP server ready User (192.168.20.2:(none)): admin 331 Password required Password: 230 User logged in ftp> quit 221 Bye...see you later

CG031208

2.00

April 2004

Page: 25 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Check the status on CES2. Note that the frames are now captured as the capture start has been triggered by the FTP traffic : CES#show capture test-trigger Capture state: Capture buffer size: Capture type: Capturing on interface: Promiscuous mode is: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped: Start trigger applied: Start trigger discards: Stop trigger applied: CES#

RUNNING 1048576 ETHERNET FastEthernet 0/1 DISABLED 4096 107 0% BIDIRECTIONAL DISABLED FALSE permit FTP 362 permit Telnet

Start the Telnet session from PC to CES2: C:\>telnet 192.168.20.2 Login: admin Password: CES>exit Check the capture status again. Note the state of the capture has changed to Stopped by stop trigger. Telnet traffic has triggered the stop capture: CES#show capture test-trigger Capture state: Capture buffer size: Capture type: Capturing on interface: Promiscuous mode is: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped: Start trigger applied: Start trigger discards: Stop trigger applied: CES#

CG031208

2.00

April 2004

STOPPED by stop trigger 1048576 ETHERNET FastEthernet 0/1 DISABLED 4096 188 1% BIDIRECTIONAL DISABLED FALSE permit FTP 362 permit Telnet

Page: 26 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Save the capture in to the file (test2.cap) on disk: CES#capture test-trigger save test2.cap Saving capture test-trigger to file /ide0/test2.cap please wait . . . 188 frames written successfully CES# Download the capture from the CES2 via FTP: D:\tmp\openpcap\128>ftp 192.168.20.2 Connected to 192.168.20.2. 220 FTP server ready User (192.168.20.2:(none)): admin 331 Password required Password: 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> get test2.cap 200 Port set okay 150 Opening BINARY mode data connection 226 Transfer complete ftp: 16788 bytes received in 0.21Seconds 79.94Kbytes/sec. ftp> quit 221 Bye...see you later Decrypt the capture in to the new file (outTest2.cap). When asked enter the password that was selected to protect the capture (1qazxsw2 in this example): D:\tmp\openpcap\128>openpcap.exe test2.cap outTest2.cap Password:

CG031208

2.00

April 2004

Page: 27 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Open the decrypted trace in the Ethereal or similar software. Note the capture of traffic stared with the first FTP packet:

And ended with the first Telnet traffic:

PCAP on the physical interfaces using Filters and Direction Let’s configure the capture object that will capture only inbound ftp traffic. Create a new capture object (test-filter-in) on the FastEthernet interface on CES2: CES#capture add test-filter-in FastEthernet 0/1 CES#

CG031208

2.00

April 2004

Page: 28 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Enter the capture configuration mode for the created capture object: CES#capture test-filter-in CES(capture-ethernet)# Set the direction for the capture to inbound: CES(capture-ethernet)#direction inbound CES(capture-ethernet)# Set the filter to capture FTP traffic only: CES(capture-ethernet)#filter "permit FTP" CES(capture-ethernet)# Exit the capture configuration menu: CES(capture-ethernet)#exit CES# Start the capture: CES#capture test-filter-in start CES# Issue a continuous ping from the PC to the CES2: C:\>ping 192.168.20.2 -t Pinging 192.168.20.2 with 32 bytes of data: Reply from 192.168.20.2: bytes=32 time<10ms TTL=64 …

CG031208

2.00

April 2004

Page: 29 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Check the capture status. Note the set inbound direction, applied capture filter and numbers for the captured frames (zero) and filter discarded frames: CES#show capture test-filter-in Capture state: Capture buffer size: Capture type: Capturing on interface: Promiscuous mode is: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped: Capture filter applied: Capturing non-ip frames: Capture filter discards: CES#

RUNNING 1048576 ETHERNET FastEthernet 0/1 DISABLED 4096 0 0% INBOUND DISABLED FALSE permit FTP DISABLED 25

Start an FTP session to CES2 and issue a dir command while FTP: D:\tmp\openpcap\128>ftp 192.168.20.2 Connected to 192.168.20.2. 220 FTP server ready User (192.168.20.2:(none)): admin 331 Password required Password: 230 User logged in ftp> dir 200 Port set okay 150 Opening ASCII mode data connection -rwxrwxrwx 1 owner group 379020 Oct 27 10:01 BOOTROM.SYS drwxrwxrwx 1 owner group 512 Aug 18 15:34 V04_80.058 drwxrwxrwx 1 owner group 512 Sep 24 10:00 V04_75.124 drwxrwxrwx 1 owner group 512 Sep 3 09:28 V04_05.070 drwxrwxrwx 1 owner group 512 Oct 1 16:22 V03_50.44 drwxrwxrwx 1 owner group 512 Sep 24 10:22 V04_70.120 drwxrwxrwx 1 owner group 512 Sep 19 14:24 V04_00.881 drwxrwxrwx 1 owner group 512 Oct 27 10:01 SYSTEM drwxrwxrwx 1 owner group 512 Oct 24 10:03 V04_80.124 -rwxrwxrwx 1 owner group 16788 Oct 28 15:50 TEST2.CAP -rwxrwxrwx 1 owner group 948 Oct 28 15:00 TEST1.CAP 226 Transfer complete ftp: 975 bytes received in 0.31Seconds 3.15Kbytes/sec. ftp> quit 221 Bye...see you later

CG031208

2.00

April 2004

Page: 30 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Check the capture status. Note a non-zero number of captured frames: CES#show capture test-filter-in Capture state: Capture buffer size: Capture type: Capturing on interface: Promiscuous mode is: Capturing MAX octets per frame: Captured frames: Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped: Capture filter applied: Capturing non-ip frames: Capture filter discards: CES#

RUNNING 1048576 ETHERNET FastEthernet 0/1 DISABLED 4096 20 0% INBOUND DISABLED FALSE permit FTP DISABLED 329

Stop the capture: CES#capture test-filter-in stop CES# Save the capture to a file (test3.cap) on disk: CES#capture test-filter-in save test3.cap Saving capture test-filter-in to file /ide0/test3.cap please wait . . . 20 frames written successfully CES# Download the capture from the CES2: D:\tmp\openpcap\128>ftp 192.168.20.2 Connected to 192.168.20.2. 220 FTP server ready User (192.168.20.2:(none)): admin 331 Password required Password: 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> get test3.cap 200 Port set okay 150 Opening BINARY mode data connection 226 Transfer complete ftp: 1652 bytes received in 0.11Seconds 15.02Kbytes/sec. ftp> quit 221 Bye...see you later

CG031208

2.00

April 2004

Page: 31 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Using openpcap tool and password selected for the capture (1qazxsw2 is used in this example) decrypt the trace in to a new file (outTest3.cap): D:\tmp\openpcap\128>openpcap.exe Password:

test3.cap outTest3.cap

Open a capture using Ethereal or similar software. Note only the inbound FTP traffic has been captured:

PCAP on Global/Raw IP in mixed environment of tunnels and private physical interfaces Let’s configure a capture object to capture all Raw IP traffic. Create a new capture object (test-raw-ip) for global capture: CES#capture add test-raw-ip global CES# Start the capture on CES2: CES#capture test-raw-ip start CES#

CG031208

2.00

April 2004

Page: 32 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Bring the BO tunnel up by pinging from the CES2 private interface to the CES1 private side (192.168.10.1): CES#ping 192.168.10.1 PING 192.168.10.1: 36 data bytes 64 bytes from 192.168.10.1: icmp_seq=2. 64 bytes from 192.168.10.1: icmp_seq=3. 64 bytes from 192.168.10.1: icmp_seq=4. 64 bytes from 192.168.10.1: icmp_seq=5. CES#

time=<16 time=<16 time=<16 time=<16

ms ms ms ms

Issue a ping from PC to the CES2 private interface: C:\>ping 192.168.20.2 Pinging 192.168.20.2 with 32 bytes of data: Request timed out. Reply from 192.168.20.2: bytes=32 time<10ms TTL=64 Reply from 192.168.20.2: bytes=32 time<10ms TTL=64 Reply from 192.168.20.2: bytes=32 time<10ms TTL=64 Ping statistics for 192.168.20.2: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Stop the capture: CES#capture test-raw-ip stop CES# Save the capture to a file (test4.cap) on the disk: CES#capture test-raw-ip save test4.cap Saving capture test-raw-ip to file /ide0/test4.cap please wait . . . 23 frames written successfully CES#

CG031208

2.00

April 2004

Page: 33 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Download the capture: D:\tmp\openpcap\128>ftp 192.168.20.2 Connected to 192.168.20.2. 220 FTP server ready User (192.168.20.2:(none)): admin 331 Password required Password: 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> get test4.cap 200 Port set okay 150 Opening BINARY mode data connection 226 Transfer complete ftp: 4548 bytes received in 0.19Seconds 23.94Kbytes/sec. ftp> quit 221 Bye...see you later Decrypt the capture in a new file (outTest4.cap) using openpcap tool and the selected for the capture password (1qazxsw2 in this example): D:\tmp\openpcap\128>openpcap test4.cap outTest4.cap Password:

CG031208

2.00

April 2004

Page: 34 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Open the decrypted capture with Ethereal or similar software. Note the tunnel establishment packets are captured, ICMP traffic inside the tunnel is captured, ICMP traffic outside the tunnel is captured:

CG031208

2.00

April 2004

Page: 35 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) PCAP on tunnel using user ID Let’s configure a capture object to capture the tunnel traffic only from a specific user ID. Create a new capture object (test-user) for the user tunnel: CES#capture add test-user tunnel CES# Enter the capture configuration mode for the capture object: CES#capture test-user CES(capture-tunnel)# Set the user ID (useripsec) for the tunnel to be captured and exit the capture configuration mode: CES(capture-tunnel)#userid useripsec CES(capture-tunnel)#exit CES# Start the capture: CES#capture test-user start CES# Bring the BO connection up by pinging from the CES1 private side to the CES2 private side: CES#ping 192.168.10.1 PING 192.168.10.1: 36 data bytes 64 bytes from 192.168.10.1: icmp_seq=2. 64 bytes from 192.168.10.1: icmp_seq=3. 64 bytes from 192.168.10.1: icmp_seq=4. 64 bytes from 192.168.10.1: icmp_seq=5. CES#

CG031208

2.00

April 2004

time=<16 time=<16 time=<16 time=<16

ms ms ms ms

Page: 36 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Initiate a VPN session from the WS to the CES2:

Once VPN connection has been established ping CES2 private IP (192.168.20.20) from WS: C:\>ping 192.168.20.20 Pinging 192.168.20.20 with 32 bytes of data: Reply from 192.168.20.20: bytes=32 time=10ms Reply from 192.168.20.20: bytes=32 time<10ms Reply from 192.168.20.20: bytes=32 time<10ms Reply from 192.168.20.20: bytes=32 time<10ms

TTL=64 TTL=64 TTL=64 TTL=64

Ping statistics for 192.168.20.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 10ms, Average = 2ms Stop the capture: CES#capture test-user stop CES#

CG031208

2.00

April 2004

Page: 37 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Save the capture into a file (test5.cap) on disk: CES#capture test-user save test5.cap Saving capture test-user to file /ide0/test5.cap please wait . . . 40 frames written successfully CES# Download the encrypted capture from the CES2: D:\tmp\openpcap\128>ftp 192.168.20.2 Connected to 192.168.20.2. 220 FTP server ready User (192.168.20.2:(none)): admin 331 Password required Password: 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> get test5.cap 200 Port set okay 150 Opening BINARY mode data connection 226 Transfer complete ftp: 3204 bytes received in 0.12Seconds 26.70Kbytes/sec. ftp> quit 221 Bye...see you later Decrypt the trace in to a new file (outTest5.cap) using openpcap and the password (1qazxsw2 in this example): D:\tmp\openpcap\128>openpcap test5.cap outTest5.cap Password:

CG031208

2.00

April 2004

Page: 38 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Open the decrypted trace with Ethereal or similar software. Note only the traffic for the tunnel with configured user id was captured, in our case only the user tunnel traffic was captured, no BO tunnel traffic has been captured:

CG031208

2.00

April 2004

Page: 39 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) PCAP on tunnel using Remote IP Let’s configure a capture object to capture only the tunnel with specific remote IP. Create a new capture object (test-remote-ip) to capture tunnel interface: CES#capture add test-remote-ip tunnel CES# Enter the configuration mode for the capture: CES#capture test-remote-ip CES(capture-tunnel)# Set the remote IP to the CES1 public interface (192.168.100.1) and exit the capture configuration mode: CES(capture-tunnel)#remoteip 192.168.100.1 CES(capture-tunnel)#exit CES# Start the capture: CES#capture test-remote-ip start CES# Start the VPN session as in the previous example.

CG031208

2.00

April 2004

Page: 40 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Ping from WS to the CES2 private side: C:\>ping 192.168.20.20 Pinging 192.168.20.20 with 32 bytes of data: Reply from 192.168.20.20: bytes=32 time<10ms Reply from 192.168.20.20: bytes=32 time<10ms Reply from 192.168.20.20: bytes=32 time<10ms Reply from 192.168.20.20: bytes=32 time<10ms

TTL=64 TTL=64 TTL=64 TTL=64

Ping statistics for 192.168.20.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Bring the BO tunnel up by pinging from CES2 to CES1 management IP: CES#ping 192.168.10.1 PING 192.168.10.1: 36 data bytes 64 bytes from 192.168.10.1: icmp_seq=2. 64 bytes from 192.168.10.1: icmp_seq=3. 64 bytes from 192.168.10.1: icmp_seq=4. 64 bytes from 192.168.10.1: icmp_seq=5. CES#

time=<16 time=<16 time=<16 time=<16

ms ms ms ms

Ping from WS to the CES2 private side again. Stop the capture: CES#capture test-remote-ip stop CES# Save the capture into a file (test6.cap) on the disk: CES#capture test-remote-ip save test6.cap Saving capture test-remote-ip to file /ide0/test6.cap please wait . . . 9 frames written successfully CES#

CG031208

2.00

April 2004

Page: 41 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Download the encrypted capture from the CES2: D:\tmp\openpcap\128>ftp 192.168.20.2 Connected to 192.168.20.2. 220 FTP server ready User (192.168.20.2:(none)): admin 331 Password required Password: 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> get test6.cap 200 Port set okay 150 Opening BINARY mode data connection 226 Transfer complete ftp: 788 bytes received in 0.00Seconds 788000.00Kbytes/sec. ftp> quit 221 Bye...see you later Decrypt the trace with the openpcap tool and a password selected to protect the capture (1qazxsw2 in this example): D:\tmp\openpcap\128>openpcap test6.cap outTest6.cap Password: Open a trace with Ethereal or similar software. Note only traffic inside the tunnel with the configured remote IP has been captured, in our case only traffic inside the BO has been captured:

CG031208

2.00

April 2004

Page: 42 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Check all the configured capture objects on CES2: CES#show capture Name Type test-fast ETHERNET test-filter-in ETHERNET test-raw-ip GLOBAL test-remote-ip TUNNEL test-trigger ETHERNET trigger test-user TUNNEL CES#

Size Buffer use Count 1048576 0% 10 1048576 0% 20 1048576 0% 33 1048576 0% 9 1048576 1% 188 1048576

0%

56

State STOPPED STOPPED STOPPED STOPPED STOPPED by stop STOPPED

Once all the tests are done, disable the capture on CES2 globally (Note: This will remove all the configured capture objects and free the memory used to store them): CES#no capture enable CES# The saved captures will be stored on the disk until they are specifically deleted: CES#dir Directory of /ide0/ 379020 948 16788 1652 4548 4436 788 CES#

CG031208

2.00

TUE TUE MON MON TUE TUE TUE TUE TUE TUE WED FRI WED WED WED MON FRI

OCT OCT OCT OCT OCT OCT OCT OCT OCT OCT OCT SEP SEP SEP SEP AUG OCT

April 2004

28 28 27 27 28 28 28 28 28 28 01 19 03 24 24 18 24

18:32:12 18:32:12 10:01:16 10:01:44 15:00:30 15:50:40 16:17:44 16:58:48 18:12:50 18:33:18 16:22:38 14:24:20 09:28:00 10:22:20 10:00:22 15:34:54 10:03:10

2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003

/ide0/ . .. BOOTROM.SYS SYSTEM TEST1.CAP TEST2.CAP TEST3.CAP TEST4.CAP TEST5.CAP TEST6.CAP V03_50.44 V04_00.881 V04_05.070 V04_70.120 V04_75.124 V04_80.058 V04_80.124

Page: 43 of 44

Configuration Guide Contivity Secure IP Services Gateway Packet Capture on Contivity (PCAP) Copyright © 2005 Nortel Networks Limited - All Rights Reserved. Nortel, Nortel Networks, the Nortel logo, Globemark, and Contivity are trademarks of Nortel Networks Limited. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Limited. To access more technical documentation, search our knowledge base, or open a service request online, please visit Nortel Networks Technical Support on the web at: http://www.nortel.com/support If after following this guide you are still having problems, please ensure you have carried out the steps exactly as in this document. If problems still persist, please contact Nortel Networks Technical Support (contact information is available online at: http://www.nortel.com/cgi-bin/comments/comments.cgi?key=techsupport_cu). We welcome you comments and suggestions on the quality and usefulness of this document. If you would like to leave a feedback please send your comments to: [email protected] Author: Kristina Senkova

CG031208

2.00

April 2004

Page: 44 of 44