Diagnostic commands and tools are very easy to use on Sensor. These commands and tools provide much meaningful information on the sensor for troubleshooting issues that range from easy to complex. In the following section, you work with some of the most important commands for troubleshooting any sensor-related issue. It is important to become familiar with these commands.
show commands in Sensor are used to find out the statistics and state information of the sensor applications, configurations, version, and so on. These commands are very useful tools and quite handy for troubleshooting sensor issues. Some of the most frequently show commands are as follows outlined in the sections that follow.
The show version command provides the information about different applications that go into making the sensor. It's important that all these applications are running for the sensor to function completely. If one of the applications dies, the output of this command will provide this information. Additionally, the show version command also provides the information of the latest version the sensor is running, disk and memory usage, and upgrade history, as shown in Example 14-1.
Example 14-1. show version Output from IPS 5.x Sensor
The show configuration command is used to check the current configuration of the sensor. To get the specific information from the sensor configuration, use the pipe (|) with begin, exclude or include to filter the information that you want to get. For instance if you want to see the allowed hosts configured on the sensor, execute the command shown in Example 14-2.
Example 14-2. show configuration Command Displaying Only the Allowed Host Configuration
The show events command is one of the most useful commands for troubleshooting issues on a sensor, in particular, alarm-related issues. Without any other arguments, this command displays alarms and errors in real time. However, to retrieve from the database the alarms or errors that were stored in the past, there are different arguments, which are found by executing the show events ? command on the sensor. Example 14-3 shows the events written to the sensor database for the past 30 minutes.
Example 14-3. Output for show events Command for Past 30 Minutes
To clear the events from the EventStore, execute the clear events command.
show statistics service
The show statistics service command is used to view statistics for the designated service. These statistics are useful in identifying problems pertaining to the designated services.
Example 14-4 shows the list of available services and the statistics that can be obtained using this command.
Example 14-4. Available Services and Statistics that Can Be Obtained with show statistics Command
Example 14-5 shows the statistics of Authentication application.
Example 14-5. Statistics of Authentication Application
While troubleshooting issues with any of the applications, it's important to clear the counters of the application to see the statistics for a specific time interval. Example 14-6 shows the statistics of the authentication application and how to clear the statistics with the clear option on the show statistics command.
Example 14-6. Clearing Statistics of Authentication Application
The most useful information of the output of the show interfaces command enables you to identify different interfaces, their status, and counter information. Example 14-7 shows the output of show interface command for Command and Control interface.
Example 14-7. show interfaces Command Output from IPS 5.x
The show tech-support command captures all status and configuration information on the sensor. The command allows the information to be transferred to a remote system. The output can be very large, approximately 1 MB. The output includes the current configuration, version information, and cidDump (the following section contains more information on this topic) information. show tech-support can be obtained from the sensor for troubleshooting purposes either via the CLI or by using IDM. With CLI, after logging into sensor using an admin account, you can execute the following command to get the tech-support information
show tech-support [page] [password] [destination-url destination-url]
Example 14-8 shows how to generate and place the tech-support output of the sensor into an FTP server using the relative path of user csidsuser.
Example 14-8. Generating and Transferring the show tech-support File to the Relative Directory of User in FTP Server
Example 14-9 shows how to transfer the tech-support output to the user absolute directory path.
Example 14-9. Generating and Transferring the show tech-support File to the Absolute Directory of User in FTP Server
You can view the show tech-support output page by page with the following command:
Sensor# show tech-support page
The system information appears on the screen, one page at a time. Press the spacebar to view the next page or press Ctrl-C to return to the prompt.
To leave passwords and other security information in the output of the show tech-support, use the following command:
Sensor# show tech-support password
You can also generate the tech-support file from the sensor using IDM. To do that, click on Monitoring > Support Information > System Information within IDM.
If you cannot log in to the sensor with the administrator account to the CLI or IDM, you will not be able to collect the show tech-support output. But, with the service account, you can log in to the sensor and collect the cidDump.
Work through the following steps to run the cidDump script:
tcpdump is the command available on Linux shell. This allows you to see if the interfaces of the sensor are receiving the traffic. This can also be used for signature fidelity issues, or to validate a false positive or false negative traffic. The output of the tcpdump can be analyzed by another sensor using tcpdump or a pcap decoder such as Ethereal. Example 14-10 shows and explains how to use the tcpdump command on the sensor after logging in with the service account.
Example 14-10. Using tcpdump on the Sensor After Logging in With Service Account
More details about the tcpdump can be found from the following location:
iplog can be used instead of tcpdump, and iplog has several advantages. If you need to capture binary traffic over a period of time for a specific signature, tcpdump is not a very useful tool, as tcpdump is for real-time traffic. The iplog file captures the binary packets, and these binary packets are written in a common format most commonly referred to as the libpcap format, and as tcpdump files. The libpcap format files can be read by most sniffer programs (for example, Ethereal). The IP Log data is stored in a sort of circular logging buffer, which means that when the buffer is full, the oldest IP log data is overwritten by the newest IP Log data. More details on iplog can be found at the following location:
You can display or capture live traffic from an interface and have the live traffic or a previously captured file to display on the screen. Storage is available for one local file only; subsequent capture requests overwrite an existing file. The size of the storage file varies depending on the platform. Even though capturing live traffic off the interface does not disrupt any of the functionality of the sensor, it can cause significant performance degradation. Example 14-11 summarizes the usage of the packet command.
Example 14-11. Using the packet Command on the Sensor