Sniffer Capture

Sniffer Capture

The capture command on the PIX firewall is useful only if the packets are reaching to the PIX interface. So you need to rely on external sniffer capture software. Besides, the capture command output can be converted and saved in pcap format, which later can be opened and analyzed by sniffer capture software. Ethereal is very popular free downloadable sniffer software (www.ethereal.com).

Syslog

Syslog is the best troubleshooting tool for the PIX firewall. It logs traffic both to and through the firewall. The level of detail provided by syslog is controlled by the level of detail at which PIX is configured for syslog. Seven syslog logging levels can be set on the PIX firewall as shown in Table 3-7.

Table 3-7. Syslog Messages

Log Level	Description	# of Messages (Sum)
0	Emergencies	0
1	Alerts	41 (41)
2	Critical	21 (62)
3	Errors	74 (136)
4	Warnings	56 (192)
5	Notifications	21 (213)
6	Informational	95 (308)
7	Debugging	15 (323)

Work through the steps that follow to configure logging on the PIX firewall.

1.	Define what you want to capture. The first step is to enable syslog on the PIX firewall to define the amount of logging you want to capture. There are two ways to define what you want to capture: first with the syslog level, and second with the event_list. The general syntax for enabling logging is as follows: PIX(config)# [no] logging console | buffered | monitor | trap | mail | asdm event_list | level While defining a different level of syslog, you can direct the logging to a monitor, console, buffer, ASDM, syslog server, or e-mail. For example, to enable the logging level to debug and capture the information in the buffer, configure the following: PIX(config)# logging buffer debug The No form of the command which follows will turn off debug level buffer logging. PIX(config)# no logging buffer debug You can change the default buffer size with the following command: PIX(config)# [no] logging buffer-size For example, to set up the buffer size to be 8192 bytes, use the following command: PIX(config)# logging buffer-size 8192 If you connect to the PIX with Telnet or SSH and want to display the level 6 logging on the monitor, use the following command: PIX(config)# logging monitor 6 This can be written as follows: PIX(config)# logging monitor informational To send debug level logging to a syslog server, use the following command: PIX(config)# logging trap debug The following commands send the critical level information to e-mail recipient PIX(config)# logging mail critical You can configure the "Modifiable syslog" feature on the PIX to reduce the amount of syslog. For example, to determine what commands are being executed on the PIX, message 111009 records this information, but by default it is at level 7 (Debug). %PIX-7-111009: User 'xyz' executed cmd: show run So, to capture this syslog ID, the PIX must have the debug level enabled. With debug level logging, PIX generates a huge amount of logging. To cut this down, use the following command to bring the syslog ID down to some lower level, for example, level 1, which will reduce the number of messages substantially with the following command: PIX(config)# logging message 111009 level 1 You also can use the following command: PIX(config)# logging message 111009 level alerts Now your syslog message should look like this: %PIX-1-111009: User 'xyz' executed cmd: show run To disable the modifiable syslog, you can use the following command: PIX(config)# no logging message 111009 level alerts Or, you can use the following command: PIX(config)# logging message 111009 level 7 With a modifiable syslog, you will still get some logs in different lower levels (for example level 0, 1, 2, and so on). If you just want to see a specific syslog message, use the event class configuration. An event list can be configured to allow only the specific syslog ID to be logged. An event_list provides you the flexibility to track events by class, severity, or syslog message ID. If you just want to capture syslog for ID 101001 only, you can use the following commands: PIX(config)# logging list mylist message 101001 PIX(config)# logging buffered mylist
2.	Define the syslog server. You must define the external syslog server IP address to forward the syslog message to the external syslog server. If your syslog server resides on the inside network with an IP address of 10.1.1.5, use the following command: PIX (config) # logging host inside 10.1.1.5
3.	Define the mail server. If you decide to send out syslog information to e-mail addresses, you need to configure the mail server and the e-mail addresses to forward the syslog information. PIX(config)# logging from-address pixbldg3@xyz.com PIX(config)# logging recipient-address admin@xyz.com level critical PIX(config)# smtp server pri-smtp-host sec-smtp-host PIX(config)#
4.	Turn on the time stamp for syslog. You can configure the time stamp for logging with the following command: PIX(config)# logging timestamp Use the following command to turn off the timestamp: PIX(config)# no logging timestamp
5.	Redirect debug to syslog if needed. To redirect the debug output to syslog, execute the following command: PIX(config)# logging debug-trace To turn off the redirection, use the following command: PIX(config)# no logging debug-trace The syslog message number used is 711011.
6.	Turn logging on. Finally, turn logging ON with the following command: PIX(config)# logging enable The following command turns off logging: PIX(config)# no logging enable

Once logging is configured, you can verify the syslog configuration with the following command:

PIX# show running logging

To remove the logging configuration, use the following command:

PIX(config)# clear config logging

To display buffer logging syslog messages, use the following command:

PIX# show logging

To display only the syslog configuration settings, use the following command:

PIX# show logging setting

System syslog messages on PIX/ASA 5500 are found at the following link:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/syslog/saslmsgs.htm

Syslog messages based on different severity levels on PIX/ASA 5500 can be found at the following link:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/syslog/saslapa.htm

Get the syslog message ID from the syslog server, find the meaning, and perform the recommended action suggested by the syslog message ID in the previously listed links.