Traffic capture allows permitted users to view and manage traffic capture files residing either on the SMS or on an IPS device. A traffic capture file contains one or more packets captured by a device on a single segment or all segments. Users can see the files for only one device at a time. Traffic capture files are in saved in packet capture (PCAP) file format and support either an internal or external viewer.
Concurrent Traffic Capture
The SMS allows multiple captures to run concurrently. Traffic capture files are created by the device on request of the user through SMS or LSM. The traffic capture files are moved from the device if they were created from the SMS or if the user wants to work with the file.
Packet Capture summary information and management options can be accessed in the following areas:
• All Devices — All Devices > Member Summary > Traffic Capture
• Device Groups — All Devices > [device group] > Member Summary > Traffic Capture
• Device — All Devices > [device] > Traffic Capture
To display traffic captures for all devices, select the Show All Devices option on the Traffic Capture summary screen for All Devices or Device Groups.
The Traffic Capture screen provides the following tables:
• Current Traffic Capture — provides information about the current traffic capture and the following options:
• New — create a new traffic capture
• Stop — stop current traffic capture
• Refresh Statistics — refresh the current traffic capture statistics
• Existing Captures — provides a listing of existing captures and the following options:
• View — view an existing traffic capture with a configured viewer
• Export — export existing traffic capture
• Transfer to SMS — transfer an existing traffic capture from the device to the SMS
• Delete — delete an existing traffic capture
The Existing Captures table details the following:
NOTE: Traffic capture files on the SMS are placed in the backup restore area of the SMS drive. Traffic captures placed on an SMS are not sent to the secondary HA system.
Traffic capture expressions (based on TCPDump) are used in traffic captures to refine the types of packets that are captured. The following table outlines the use of traffic capture expressions:
NOTE: You can use the ampersand (&) operator to concatenate parameters. Do not use the “or” operator.
Table 8-11 Packet Capture Details
Column Description Type
Name Name of the new traffic capture file Current, Existing
Date Date of the traffic capture Current, Existing
Slot IO slot from 1 to 4 (for NX devices) Current, Existing
Segment segment on which traffic is captured Current, Existing
File Size Size of file from 1 to 10,000,000 bytes Current, Existing
Packets Number of packets from 1 to 10,000 packets Current
Device Name of the device Current, Existing
On Device File status on the IPS device. A check mark indicates the traffic
capture file is present on the IPS device. Existing
Table 8-12 Traffic Capture Expressions
Parameter Description
ip IPv4 traffic. By default, only IPv4 traffic is captured.
ipv6 IPv6 traffic.
proto Designates the protocol of captured traffic. Can be an
explicit number or tcp, udp, or icmp.
src Specifies the source of the traffic. This parameter can be
applied to both host and port.
dst Specifies the destination of the traffic. This parameter can
be applied to both host and port.
host Designates a host IP address. IPv4 and IPv6 addresses
are supported, as is CIDR format.
port Designates the port; you must also specify a port number.
Examples:
host 172.31.255.254 Captures all traffic to and from 172.31.255.254.
src 172.31.255.254 Captures all traffic from 172.31.255.254.
dst 172.31.255.254 Captures all traffic to 172.31.255.254.
src 172.31.255.254 & dst 10.10.10.10 Captures all traffic from 172.31.255.254 to 10.10.10.10.
ip proto tcp Captures only TCP traffic.
ip proto tcp & src port 63 Captures only TCP traffic on port 63.
TippingPoint OS
When HP TippingPoint identifies new attacks or improves methods of detecting existing attacks, the Threat Management Center (TMC) makes the updates available to customers in the form of Digital Vaccine filter packages and software packages. Software packages are upgrades to your IPS operating system. Digital Vaccine filter packages contain newly developed attack, peer-to-peer, and anomaly filters along with improvements to existing filters. For information on updating Digital Vaccine and DVT packages, see
”Profiles” on page 67.
Through the Devices screen, you can check for update notifications for the HP TippingPoint Operating System (TOS). The SMS client allows you to download and store the TOS files on the system. The packages display on their own screens providing quick review of which devices have received the updates. You can also distribute the updates from each page. The TMC notifies you that new packages are available on the Dashboard. You can also click Download on the Devices (TippingPoint OS) screen.
The following information displays:
When performing a distribution of the update, you can select a high or low priority. The priority aids in performance of the system. High priority updates distribute before low priority. Low priority updates are regulated to ensure the best performance of the system. You can select the priority on the distribute dialog boxes that display when performing a distribution in the SMS client.
When you select a high priority, it takes precedent over a low priority update. However, during the update, you might have dropped packets as traffic and performance are hampered during the update. If you do not want this loss of packets, you can select a low priority. From a device perspective, unless the traffic through the device is low (or in Layer-2 Fallback), you should always do high priority updates from SMS.
Selecting low priority updates can take hours to perform a full update without a loss in traffic packets depending on the level of traffic.
To download and distribute the TOS update, do the following:
• Download the TOS Software, page 250
• Import TOS Software from a File, page 250
• Managing TOS Distribution, page 250
• Distribute the TOS, page 250 Table 8-13 TOS Inventory Details
Column Description
Version version number of the TOS
Product models that the selected TOS package supports Released date and time of the released version of the TOS Downloaded date and time of the download to the SMS Devices device models supported by the release Table 8-14 Distribution Progress Details
Column Description
Device name of the device updating to the TOS
Package version number of the TOS
Start/End time start/end date and time of the distribution
Status status of the distribution
Ext. Status additional status information related to this specific distribution Progress current progress of the distribution