Tag Archives: Syslog

Wireshark Layer 2-3 pcap Analysis w/ Challenges (CCNP SWITCH)

While preparing for my CCNP SWITCH exam I built a laboratory with 4 switches, 3 routers and 2 workstations in order to test almost all layer 2/3 protocols that are related to network management traffic. And because “PCAP or it didn’t happen” I captured 22 of these protocols to further investigate them with Wireshark. Oh oh, I remember the good old times where I merely used unmanaged layer 2 switches. 😉

In this blogpost I am publishing the captured pcap file with all of these 22 protocols. I am further listing 45 CHALLENGES as an exercise for the reader. Feel free to download the pcap and to test your protocol skills with Wireshark! Use the comment section below for posting your answers.

Of course I am running my lab fully dual-stacked, i.e., with IPv6 and legacy IP. On some switches the SDM template must be changed to be IPv6 capable such as sdm prefer dual-ipv4-and-ipv6 default .

Continue reading Wireshark Layer 2-3 pcap Analysis w/ Challenges (CCNP SWITCH)

Tufin SecureTrack: Adding Devices

Since a few weeks I am using Tufin SecureTrack in my lab. A product which analyzes firewall policies about their usage and their changes by administrators (and much more). Therefore, the first step is to connect the firewalls to SecureTrack in two directions: SSH from SecureTrack to the device to analyze the configuration, as well as Syslog from the device to SecureTrack to real-time monitor the policy usage.

This blog post shows the adding of the following firewalls into Tufin: Cisco ASA, Fortinet FortiGate, Juniper ScreenOS, and Palo Alto PA.

Continue reading Tufin SecureTrack: Adding Devices

Logfile Parsing

While parsing logfiles on a Linux machine, several commands are useful in order to get the appropriate results, e.g., searching for concrete events in firewall logs.

In this post, I list a few standard parsing commands such as grep, sort, uniq, or wc. Furthermore, I present a few examples of these small tools. However, it’s all about try and error when building large command pipes. 😉

Continue reading Logfile Parsing

Grep Commands for Cisco ASA Syslog Messages

In a basic environment with a Cisco ASA firewall I am logging everything to a syslog-ng server. As there aren’t any reporting tools installed, I am using grep to filter the huge amount of syslog messages in order to get the information I want to know. In this blog post I list a few greps for getting the interesting data.

Continue reading Grep Commands for Cisco ASA Syslog Messages

Basic syslog-ng Installation

This post shows a guideline for a basic installation of the open source syslog-ng daemon in order to store syslog messages from various devices in a separate file for each device.

I am using such an installation for my routers, firewalls, etc., to have an archive with all of its messages. Later on, I can grep through these logfiles and search for specific events. Of course it does not provide any built-in filter or correlation features – it is obviously not a SIEM. However, as a first step, I think it’s better than nothing. 😉

Continue reading Basic syslog-ng Installation

Reliability of IPv6 DAD Message Sniffing

A few weeks ago I published an article in which I proposed a method on how to capture the MAC- to IPv6-address bindings via sniffing and storing IPv6 DAD messages. Though any IPv6 node MUST send these Duplicate Address Detection messages prior to assign the address, I was not fully assured that *really* each new IPv6 address is stored with this Tcpdump sniffer.

That is, over a whole month I captured the DAD messages on a test BYOD-LAN and furthermore the complete IPv6 connection logs of the corresponding firewall. At best, I should have any IPv6 address that made an outbound connection through the firewall in the DAD logfiles. Here are the results:

Continue reading Reliability of IPv6 DAD Message Sniffing