Configuration Guide

Configuration Guide
Contivity Secure IP Services Gateway
Packet Capture on Contivity (PCAP)
Contents
Contents .......................................................................................................................................... 1
Overview.......................................................................................................................................... 1
PCAP feature .............................................................................................................................. 2
Configuration and capture ............................................................................................................... 4
Enabling the capture globally ...................................................................................................... 5
Adding a new capture object....................................................................................................... 6
Configuring capture object .......................................................................................................... 7
Setting the Direction................................................................................................................ 7
Setting the Filter...................................................................................................................... 7
Setting the Length................................................................................................................... 8
Setting the Persistence (tunnels only) .................................................................................... 8
Setting the Promiscuous Mode (FastEthernet only) ............................................................... 9
Setting the Remote IP (tunnels only) ...................................................................................... 9
Setting the Trigger .................................................................................................................. 9
Setting the Type (tunnels only) ............................................................................................. 10
Setting the User ID (tunnels only)......................................................................................... 11
Setting the Wrapping parameter........................................................................................... 11
Exiting the capture configuration mode ................................................................................ 11
Starting, Stopping and Clearing the capture ............................................................................. 11
Checking the Status and Saving the capture............................................................................ 12
Deleting the capture object ....................................................................................................... 14
Disabling capture globally ......................................................................................................... 14
Transferring, opening and viewing the capture......................................................................... 15
Sample capture configurations ...................................................................................................... 17
Setup ......................................................................................................................................... 17
General capture configuration................................................................................................... 18
PCAP using defaults on physical interfaces ............................................................................. 20
PCAP using triggers on physical interfaces .............................................................................. 24
PCAP on the physical interfaces using Filters and Direction .................................................... 28
PCAP on Global/Raw IP in mixed environment of tunnels and private physical interfaces...... 32
PCAP on tunnel using user ID .................................................................................................. 36
PCAP on tunnel using Remote IP ............................................................................................. 40
Overview
One of the ways to troubleshoot network problems is to use a device such as sniffer to
capture traffic traversing the network. In conjunction with logs, statistics and debugging
information captured traces could help an engineer to find the source of the problem and
its resolution.
Many devices such as routers, servers, workstations have the packet capture implemented
in software that eliminates the need for the external sniffer. The use of an external device
might disrupt live network or the device might not be capable of decoding encrypted
traffic which is important for troubleshooting VPN networks. Software based capture can
be easily turned on or off at any time during the device operation without interfering with
the network the device is connected to.
CG031208 2.00 April 2004 Page: 1 of 44

Configuration Guide

With the introduction of the V04_85 release Contivity product line has the capturing
capabilities that are implemented through the PCAP feature.
PCAP feature
PCAP feature on Contivity allows engineer to perform the following tasks:
• Simultaneous capture of network traffic on different sources:
o Traffic passing via physical interface (Ethernet, serial, ISDN, V.90, Async
PPP, ADSL, T1, T3, etc.);
o Traffic on Ethernet not directed to Contivity (promiscuous mode)
o Traffic being passed on Branch Office tunnel
o Traffic being passed on user tunnels
• Limiting the traffic to be captured by using traffic filters;
• Setting triggers for automatic start and stop of the capture;
• Encrypting the captured traffic with DES56 or AES128 when saving the capture
to the disk to prevent unauthorized monitoring of the secure IP traffic.
• Password protected mode for capturing traffic;
With Contivity being a security device capturing capabilities are enabled only via console
port, this way only the onsite qualified personal will have the access to the feature, no
intruder from the outside will be able to log in to Contivity gateway and enable the
capture.
For security reasons in order to enable a capture administrator’s password for Contivity
gateway must be changed from its default value (setup).
Moreover the capture itself is protected by the password selected by administrator when
the capture is enabled. When capture is written to the file on a disk it will be encrypted
with the selected capture password. The selected password is not stored on the Contivity
and cannot be retrieved in any way. This ensures that only the administrator who enabled
the capture will be able to decrypt the capture later on.
To further secure the capture DES56 or AES128 are used to encrypt capture files.
Encryption depends on the Contivity model, if Contivity has a key less then 128 DES56
is used for the encryption, otherwise the AES128 is used.
A tool called openpcap is developed to open encrypted capture files. Openpcap prompts
for a password for the capture and decrypts it, so the capture could be later analyzed
using Ethereal, Sniffer Pro or similar software.
For performance reasons once capturing is started, packets are saved into the PCAP
buffer in memory and not written to the disk until the capture is stopped and saved to
disk.
CG031208 2.00 April 2004 Page: 2 of 44

Configuration Guide

Starting with code release version V04_90, once PCAP feature is enabled, it remains
enabled until specifically disabled by the administrator.
NOTE: In previous release (V04_85), once PCAP feature was enabled, it remained
enabled until either administrator disables it or until a system reboot, whichever comes
first.
As mentioned earlier the capture could be started on any of the interfaces (or sources) –
Ethernet, WAN link, Branch Office tunnel, user tunnel, etc. Only one capture on a
particular interface can be running at a time, but multiple captures on different interfaces
could be running at the same time. This limitation saves Contivity performance. Capture
could be enabled for the incoming traffic, outgoing traffic or both. This way the
administrator can control the direction of the traffic to be captured.
To reduce the overhead only the interesting traffic could be captured using existing
Contivity filters. Note: Only IP filters could be used.
Existing filters could be used as triggers to start or stop the capture. Once the condition of
the filter is met the capture is started or stopped. Triggers only work in the direction in
which the capture is enabled. For example, if the capture is globally enabled for the
outgoing traffic only and the packet satisfying the filter condition is received with the
incoming traffic this will not trigger the capture. Stop trigger will be executed only if the
start trigger has been previously executed, in order words the stop trigger can only be
issued if capturing has been started.
Note: Enabling PCAP feature will have the impact on Contivity performance. Therefore
it must be used with care and for troubleshooting purposes only.
The impact can be reduced by capturing less data (only first n bytes of the packet), or
capturing only interesting traffic using triggers and filters.
CG031208 2.00 April 2004 Page: 3 of 44

Configuration Guide
Configuration and capture

As mention in the Overview section PCAP feature is used for the troubleshooting purposes only
and therefore could be enabled via the console CLI only.
To start configuration connect to the Contivity through the console port. Log in to the Contivity
using HyperTerminal (or similar) software (Auto detect 9600/8-N-1):
Welcome to the Contivity Secure IP Services Gateway

Copyright (c) 1999-2003 Nortel Networks, Inc.
Version: V04_85.XXX
Creation date: Oct 21 2003, 11:55:12
Date: 10/27/2003
Unit Serial Number: 19696
Please enter the administrator's user name: admin

Please enter the administrator's password: <password>
Once logged in, the menu appears. Select option L (upper or lowercase) to enter the CLI:
Main Menu: System is currently in NORMAL mode.

1) Interfaces
2) Administrator
3) Default Private Route Menu
4) Default Public Route Menu
5) Create A User Control Tunnel(IPsec) Profile
6) Restricted Management Mode FALSE
7) Allow HTTP Management TRUE
8) Firewall Options
9) Shutdown
B) System Boot Options
P) Configure Serial Port
C) Controlled Crash
L) Command Line Interface
R) Reset System to Factory Defaults
E) Exit, Save and Invoke Changes
Please select a menu choice (1 - 9,B,P,C,L,R,E): l

CES>
CG031208 2.00 April 2004 Page: 4 of 44

Configuration Guide

Enter the privileged mode:
CES>enable
Password:
CES#
If the administrator’s default password (setup) has been used, change the password via GUI or
CLI. To change the password via CLI, enter the configuration mode:
CES#configure terminal
Enter configuration commands, one per line. End with Ctrl/z.
Enter the new password for the administrator:
CES(config)#adminname admin password <new password>
Exit the configuration mode to save the changes:
CES(config)#exit
CES#
The administrator will now have a new password.
Enabling the capture globally

To enable the capture globally enter the capture enable command. Once prompted enter the
password for the capture. Password should be at least 8 characters long and contain at least one
number in it. Note: The password is not visible on the screen.
Example:
CES#capture enable
Please specify password for encrypting capture files.
Password: ********
Reenter password: ********
CES#
If the password for the capture is too simple the following error message appears and the
password should be reentered:
Example:
CES#capture enable
Password: **
Reenter password: **
% Weak password! Please try again.
CG031208 2.00 April 2004 Page: 5 of 44

Configuration Guide

To disable the capture enter the no capture enable command:
CES#no capture enable

CES#
Note: No other capture command is available until PCAP is enabled globally.
Once PCAP has been enabled globally via console, the feature could be managed through
console or telnet session.
Adding a new capture object

There are no captures defined on the Contivity by default. To define a new capture enter the
capture add <name> <source> <size> command, where
<name> is name for the capture to be defined;
<source> is the interface the capture should be taken on – bri slot/port, dial slot/port,
FastEthernet slot/port, GigabitEthernet slot/port, global, serial slot/port, tunnel. With V04_90
capturing on atm slot/port (ADSL) interface was added;
<size> is the number of octets to allocate for the capture. If not specified the default 1MB is
allocated, enter a value between 32768 and 268435456.
Example:
To view the possible sources for the capture:
CES#capture add nameOfTheCapture ?

atm ATM interface capture
bri Bri interface capture
dial Dial interface capture
FastEthernet Fast Ethernet interface capture
GigabitEthernet Gigabit Ethernet interface capture
global Global RAW IP capture
serial Serial interface capture
tunnel Tunnel capture
For example, to set the capture for the FastEthernet interface on slot 0 port 1 with the capture
size of 32768:
CES#capture add nameOfTheCapture FastEthernet 0/1 size 32768
Note: Global and Tunnel choice do not have the slot/port reference.
CG031208 2.00 April 2004 Page: 6 of 44

Configuration Guide
Configuring capture object

To enter the configuration mode for the capture issue the capture <name> command, where
<name> is the name of the capture to be configured. Note: The capture object must first be
created.
Example:
CES#capture nameOfTheCapture
CES(capture-ethernet)#
Setting the Direction

The direction { inbound | outbound } command in the capture configuration mode sets the
direction for the traffic to be captured. If no direction is specified, the capture for both directions
will be taken.
Set the direction to inbound to capture incoming traffic. Set the capture to outbound to capture
outgoing traffic.
The no form negates the set previously direction and sets the direction to default both directions.
Note: The capture must not be running in order to set a new direction, in order words the capture
cannot change direction on the fly.
Example:
CES(capture-ethernet)#direction inbound
CES(capture-ethernet)#direction outbound
CES(capture-ethernet)#no direction
Setting the Filter

The filter <name of the filter> command sets the filter to be applied to the traffic to be captured.
This command allows to capture only the interesting traffic.
Note: The filter should exist on Contivity in order to apply it to the capture. For information on how
to configure filters on Contivity consult Configuration Guide - Contivity Interface and Tunnel
Filters.
Note: The capture cannot be applied to the currently running capture. To apply the filter, stop the
capture first.
The no form of the command negates the command, therefore setting the default capture all
behavior.
Examples:
CG031208 2.00 April 2004 Page: 7 of 44

Configuration Guide

CES(capture-ethernet)#filter "permit ping"
CES(capture-ethernet)#no filter
Setting the Length

To set the length of each packet to be captured issue the length <size> command, where size is
the number of octets to be captured. Enter the number between 64 and 4096 (default is set to
4096). The no form negates the command, therefore setting the length to the default value of
4096.
Example:
CES(capture-ethernet)#length 1024
CES(capture-ethernet)#no length
Setting the Persistence (tunnels only)

The capture of tunnel traffic (BO, ABOT, user tunnels) is stopped by default as soon as tunnel is
disconnected. If there is a need to restart the capture when another tunnel with the matching
criteria is established the persistence could be enabled for the tunnel. To enable persistence in
capture issue the persistent enable command. The no form of the commend disables the
persistence.
Examples:
CES(capture-tunnel)#persistent enable
CES(capture-tunnel)#
CES(capture-tunnel)#no persistent enable
CG031208 2.00 April 2004 Page: 8 of 44

Configuration Guide
Setting the Promiscuous Mode (FastEthernet only)

To enable the promiscuous mode on the FastEthernet interface issue the promiscuous enable
command. Use the no form of the command to disable the promiscuous mode (default behavior):
CES(capture-ethernet)#promiscuous enable
CES(capture-ethernet)#no promiscuous enable

Setting the Remote IP (tunnels only)

To set the remote IP address as a criteria for tunnel traffic capture issue the remoteip <A.B.C.D>
When this parameter is set the tunnel traffic from the specified remote IP only are captured. Use
the no form to remove the criteria and return the default capture tunnel traffic from any remote IP
address behavior.
Examples:
CES(capture-tunnel)#remoteip 192.168.100.1
CES(capture-tunnel)#no remoteip
Setting the Trigger

To set the start or stop trigger for traffic capturing use the trigger { start | stop } <filter name>
command. Note: The only existing interface filter could be used as a trigger. For information on
how to configure filters on Contivity consult Configuration Guide - Contivity Interface and Tunnel
Filters.
If no start trigger is set the system will start saving packets as soon as the capture is started. Start
trigger makes the system wait for a specific packet defined in the filter and starts the capture as
soon as the packet is received. Stop trigger stops the packets when the defined in the filter
packet is received. Note: Once the stop trigger condition is met the start trigger could start the
capture again. This allows to capture specific transaction oriented traffic. Trigger could be used in
conjunction with filters for even greater flexibility. The no form of the command removes the start,
stop or both triggers.
Examples:
CES(capture-tunnel)#trigger start "permit Telnet"

CES(capture-tunnel)#trigger stop "permit FTP"

CES(capture-tunnel)#no trigger start
CES(capture-tunnel)#no trigger stop
CG031208 2.00 April 2004 Page: 9 of 44

Configuration Guide

CES(capture-tunnel)#no trigger
Setting the Type (tunnels only)

To set the tunnel type as the criteria for tunnel capturing use the type {any | initiator | peer2peer
| responder | user } {ipsec | l2f |l2tp | pptp} command.
Where:
any – sets the tunnel type to be captured to any (the default behavior);
initiator – capture ABOT initiators only;
peer2peer – capture Peer-to-Peer tunnels only;
responder – capture ABOT responder tunnels only;
user – capture user tunnels only;
ipsec – capture IPSec tunnels only;
l2f – capture L2F tunnels only;
l2tp – capture L2TP tunnels only;
pptp – capture PPTP tunnels only.
The no form of the command sets the default behavior of capture any tunnel.
Examples:
CES(capture-tunnel)#type initiator l2tp

CES(capture-tunnel)#type user ipsec

CES(capture-tunnel)#no type
CG031208 2.00 April 2004 Page: 10 of 44

Configuration Guide
Setting the User ID (tunnels only)

To set the User ID is the criteria for the tunnel traffic capture use the userid <id> command,
where <id> is the id of the user. If set, capture is taken on the tunnel with specified user ID. If not
set, the default capture tunnel with any user ID behavior is used. The no form of the command
sets the default behavior.
Examples:
CES(capture-tunnel)#userid user1
CES(capture-tunnel)#no userid
Setting the Wrapping parameter

To allow the captured traffic to be written over the previously written capture in case of buffer
overfull use the wrapping enable command. When this parameter is enabled, capture will not
stop when the capture buffer is full, instead it’ll write the date over the old capture. This allows to
run the capture constantly regardless of buffer size. The no form of the command disables the
parameter thus stopping the capture when the buffer is full (default behavior).
Examples:
CES(capture-tunnel)#wrapping enable
CES(capture-tunnel)#no wrapping enable

Exiting the capture configuration mode

To exit the capture configuration mode and save the capture configuration use the exit command:
CES(capture-ethernet)#exit
CES#
Starting, Stopping and Clearing the capture

To start the configured capture object use the capture <capture name> start command, where
<capture name> is the name of the capture object. Note: The capture object must be create prior
to starting it.
Example:
CES#capture nameOfTheCapture start

CES#
To stop the capture use the capture <name of the capture> stop command, where <capture
name> is the name of the capture object running.
CG031208 2.00 April 2004 Page: 11 of 44

Configuration Guide
Example:
CES#capture nameOfTheCapture stop

CES#
To clear the contents of a particular capture use the clear capture <capture name> command,
where <capture name> is the name of the capture object to be cleared.
Example:
CES#clear capture nameOfTheCapture

CES#
Checking the Status and Saving the capture

To check the status on a capture use the show capture <capture name> command, where
<capture name> is the name of the capture object.
Examples:
CES#show capture tunnel

Capture state: EMPTY
Capture buffer size: 1048576
Capture type: TUNNEL
Restarting capture on tunnel logoff: DISABLED
Capturing MAX octets per frame: 4096
Captured frames: 0
Capture buffer utilization: 0%
Capturing direction: BIDIRECTIONAL
Capture buffer wrapping: DISABLED
Capture buffer wrapped: FALSE
CES#show capture nameOfTheCapture

Capture state: RUNNING
Capture type: ETHERNET
Capturing on interface: FastEthernet 0/1
Promiscuous mode is: DISABLED
Captured frames: 29
CES#show capture nameOfTheCapture

Capture state: BUFFER FULL
Captured frames: 33
CG031208 2.00 April 2004 Page: 12 of 44

Configuration Guide

CES#show capture tunnel2

Capture state: STOPPED
Capture type: TUNNEL
Restarting capture on tunnel logoff: DISABLED
Captured frames: 0
To view the list of all configured capture objects use the show capture command:
CES#show capture
Name Type Size Buffer use Count State
global GLOBAL 1048576 0% 0 EMPTY
nameOfTheCapture ETHERNET 32768 100% 33 BUFFER FULL
tunnel TUNNEL 1048576 0% 0 STOPPED
CES#
Note: None of these capture objects are saved to the disk yet, they all are stored in memory until
they are specifically saved.
To save a capture to a disk, use the capture <name of the capture object> save <file name to
save the capture to>.
Example:
CES#capture nameOfTheCapture save file.cap

Saving capture nameOfTheCapture to file /ide0/file.cap please wait . . .
28 frames written successfully
CES#
CG031208 2.00 April 2004 Page: 13 of 44

Configuration Guide
Deleting the capture object

Once the capture object is not needed, the memory used for storing the capture object should be
freed to save on the Contivity performance.
To delete the capture object and free memory use the no capture <capture object name>
command.
Example:
CES#no capture captureName

CES#
Note: When capture is globally disabled by issuing the no capture enable command, all of the
capture objects are removed from memory.
Disabling capture globally

PCAP feature could be disabled globally from the console only.
To disable capture globally use the following command:
If there was an attempt to disable capture via telnet a warning is displayed, stating that packet
capture could be disabled from the console only:
% Packet capture must be disabled from the console port.
CG031208 2.00 April 2004 Page: 14 of 44

Configuration Guide
Transferring, opening and viewing the capture

The saved capture could be transferred from the Contivity gateway using FTP (make sure to use
binary mode for transferring).
Download the appropriate capture file from the Contivity.
Example:
D:\tmp\pcap>ftp 192.168.50.90
Connected to 192.168.50.90.
220 FTP server ready
User (192.168.50.90:(none)): admin
331 Password required
Password:
230 User logged in
ftp> bin
200 Type set to I, binary mode
ftp> get FILE.CAP
200 Port set okay
150 Opening BINARY mode data connection
226 Transfer complete
ftp: 2532 bytes received in 0.15Seconds 16.88Kbytes/sec.
ftp> quit
221 Bye...see you later
Once the capture is transferred to the machine it’s going to be analyzed on, use the openpcap
tool to decrypt the captured trace.
Use the openpcap <encrypted capture file> <decrypted capture file> command.
Example:
D:\tmp\openpcap\128>openpcap.exe FILE.CAP outFILE.cap

Password: Åenter the selected capture password (password entered when the
capture was globally enabled)
CG031208 2.00 April 2004 Page: 15 of 44

Configuration Guide

Once captured trace has been decrypted it could be opened with the software like Ethereal or
Sniffer Pro.
NOTE: If software used to analyze the trace does not understand the format of the trace (Sniffer
Pro, for example) a conversion might be needed.
Use editcap utility in DOS to convert a saved capture to a network general format, for example:
editcap -T ether -F ngsniffer d:\pcapfiles\bot_1.cap bot_1.enc
If capture was on a tunnel or on Ethernet use .enc extension.

If the capture was on WAN use .syc extension.
If the capture was on a tunnel or global IP, then need to set FORCE protocol option on Sniffer
PRO to correctly read IP frames.
CG031208 2.00 April 2004 Page: 16 of 44

Configuration Guide
Sample capture configurations

Setup
192.168.10.0/24 192.168.100.0/24 192.168.20.0/24
IPSec Peer-to-
CES1 Peer BO CES2
PC
WS
CES1 – Contivity Secure IP Services Gateway, code version V04_80, management IP

192.168.10.1/24, private IP 192.168.10.10/24, public IP 192.168.100.1;
CES2 - Contivity Secure IP Services Gateway, code version V04_85, management IP
192.168.20.2/24, private IP 192.168.20.20/24, public IP 192.168.100.2/24;
WS - Windows 2000 workstation with the Contivity VPN Client installed on it, IP 192.168.100.7/24
PC – Windows 2000 workstation on the CES2 private side, IP 192.168.20.7/24.
Note: This configuration assumes that CES1 and CES2 are successfully configured for the Peer-
to-Peer IPSec branch office, CES2 is configured to accept user tunnel from the WS and WS is
configured to initiate the user tunnel to CES2. In all sample configurations CES2 will have the
capture enabled.
Note: The sample configurations in this document are given for the capture object configuration
only. For information on how to configure branch office tunnel or user tunnel, consult the
appropriate documentation.
CG031208 2.00 April 2004 Page: 17 of 44

Configuration Guide
General capture configuration

Make sure the default password for the administrator on CES2 has been changed. If it’s not
changed, change it.
For example, to change the administrator’s password from default “setup” to “test” via CLI:
Log in to the Contivity:
Welcome to the Contivity Secure IP Services Gateway

Copyright (c) 1999-2003 Nortel Networks, Inc.
Version: V04_85.XXX
Creation date: Oct 21 2003, 11:55:12
Date: 10/28/2003
Unit Serial Number: 19696
Please enter the administrator's user name: admin

Please enter the administrator's password:
Select the option L on the menu:
Main Menu: System is currently in NORMAL mode.

1) Interfaces
2) Administrator
3) Default Private Route Menu
4) Default Public Route Menu
5) Create A User Control Tunnel(IPsec) Profile
6) Restricted Management Mode FALSE
7) Allow HTTP Management TRUE
8) Firewall Options
9) Shutdown
B) System Boot Options
P) Configure Serial Port
C) Controlled Crash
L) Command Line Interface
R) Reset System to Factory Defaults
E) Exit, Save and Invoke Changes
Please select a menu choice (1 - 9,B,P,C,L,R,E): l
Enter the privilege configuration mode:
CES>enable
Password:
CG031208 2.00 April 2004 Page: 18 of 44

Configuration Guide

Enter the configuration mode:
CES#conf t
Configure the password (test) for the administrator:
CES(config)#adminname admin password test

CES(config)#exit
CES#
To change the administrator’s password from default “setup” to “test” via GUI:
Navigate AdminÆAdministrator. Type in new password in the Password text box, Confirm
Password and click OK at the bottom of the screen:
Once password for the administrator has been changed, log in CES2 via console port using
terminal software like HyperTerminal and enter the privilege mode as described above.
CG031208 2.00 April 2004 Page: 19 of 44

Configuration Guide

Once in the privileged mode enable the capture globally. Enter the password (1qazxsw2 was
used as a password in this example) to protect the capture:
CES#capture enable
Password: ********
Reenter password: ********
CES#
PCAP using defaults on physical interfaces

Let’s create a capture object on FastEthernet interface with the default capture settings in it.
Create a capture object (test-fast) for FastEthernet 0/1 with the default capture size (1M):
CES#capture add test-fast fastEthernet 0/1

CES#
Start the capture for the created capture object:
CES#capture test-fast start
Ping from CES2 to WS on the CES2 private side:
CES#ping 192.168.20.7
PING 192.168.20.7: 36 data bytes
64 bytes from 192.168.20.7: icmp_seq=0. time=<16 ms
----192.168.20.7 PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = <16/<16/<16
CES#
Stop the capture:
CES#capture test-fast stop

CES#
CG031208 2.00 April 2004 Page: 20 of 44

Configuration Guide

Check the status of the capture:
CES#show cap test-fast

Capture state: STOPPED
Captured frames: 10
Save the capture in to the file (test1.cap) on disk:
CES#capture test-fast save test1.cap

Saving capture test-fast to file /ide0/test1.cap please wait . . .
CES#
The file is saved to the disk. Note the presence of saved file:
CES#dir
Directory of /ide0/
<DIR> /ide0/
<DIR> TUE OCT 28 14:24:55 2003 .
<DIR> TUE OCT 28 14:24:55 2003 ..
379020 MON OCT 27 10:01:16 2003 BOOTROM.SYS
<DIR> MON OCT 27 10:01:44 2003 SYSTEM
948 TUE OCT 28 14:31:12 2003 TEST1.CAP
<DIR> WED OCT 01 16:22:38 2003 V03_50.44
<DIR> FRI SEP 19 14:24:20 2003 V04_00.881
<DIR> WED SEP 03 09:28:00 2003 V04_05.070
<DIR> WED SEP 24 10:22:20 2003 V04_70.120
<DIR> WED SEP 24 10:00:22 2003 V04_75.124
<DIR> MON AUG 18 15:34:54 2003 V04_80.058
<DIR> FRI OCT 24 10:03:10 2003 V04_80.124
CES#
CG031208 2.00 April 2004 Page: 21 of 44

Configuration Guide

Enable FTP on CES2 via CLI or GUI, in this example we’ll do it through the CLI as we already in
the privilege mode.
CES#conf t
CES(config)#
Enable the FTP and exit the configuration mode:
CES(config)#ftp-server enable
CES(config)#exit
CES#
From the PC on the CES2 private side download the capture from the CES2:
D:\tmp\openpcap\128>ftp 192.168.20.2
User (192.168.20.2:(none)): admin
Password:
230 User logged in
ftp> bin
ftp> get test1.cap
200 Port set okay
ftp> quit
Run the openpcap tool to decrypt the capture. When asked enter the password selected for the
capture protection (1qazxsw2 in this example):
D:\tmp\openpcap\128>openpcap.exe test1.cap outTest1.cap

Password:
CG031208 2.00 April 2004 Page: 22 of 44

Configuration Guide

This will create the decrypted capture named outTest1.cap:
D:\tmp\openpcap\128>dir
Volume in drive D has no label.
Volume Serial Number is 9B29-6769
Directory of D:\tmp\openpcap\128
10/28/2003 01:49p <DIR> .
10/28/2003 01:49p <DIR> ..
06/19/2003 06:33p 35,840 openpcap.exe
10/28/2003 01:59p 910 outTest1.cap
10/28/2003 01:57p 948 test1.cap
3 File(s) 37,698 bytes
2 Dir(s) 1,204,814,389 bytes free
Open the decrypted capture outTest1.cap with Ethereal or similar program. Note the captured
ping:
CG031208 2.00 April 2004 Page: 23 of 44

Configuration Guide
PCAP using triggers on physical interfaces

Let’s configure the capture object with ftp traffic as the start trigger and telnet traffic as the stop
trigger. Note: The filters used in this sample configuration are per-defined on any Contivity. If
there is a need for a new filter it should be created and configured prior to capture configuration.
Prior to capture configuration we need to enable Telnet on CES2. FTP has been enabled in the
previous example.
We will enable Telnet via CLI:
CES#configure terminal
CES(config)#
Enable Telnet on CES2 and exit configuration mode:
CES(config)#telnet enable
CES(config)#exit
CES#
Create a new capture object (test-trigger) on the FastEthernet interface:
CES#capture add test-trigger fastEthernet 0/1

CES#
Enter the capture configuration mode for the created capture (test-trigger):
CES#capture test-trigger
Set the trigger to start capture when FTP traffic arrives:
CES(capture-ethernet)#trigger start "permit FTP"

Set the trigger to stop capture when Telnet traffic arrives:
CES(capture-ethernet)#trigger stop "permit Telnet"

Exit the capture configuration mode :
CES#
CG031208 2.00 April 2004 Page: 24 of 44

Configuration Guide

Start the capture for the configured object:
CES#capture test-trigger start
Issue a continuous ping from the PC to the CES2:
C:\>ping 192.168.20.2 -t
Pinging 192.168.20.2 with 32 bytes of data:
Reply from 192.168.20.2: bytes=32 time<10ms TTL=64
…
Check the status of the capture. Note that number of captured frames is zero and the Start trigger
discards received packets as the start has not been triggered by the ICMP traffic. Also note the
applied start and stop triggers:
CES#show capture test-trigger

Captured frames: 0
Start trigger applied: permit FTP
Start trigger discards: 108
Stop trigger applied: permit Telnet
CES#
Start the ftp session from PC to CES2:
User (192.168.20.2:(none)): admin
Password:
230 User logged in
ftp> quit
CG031208 2.00 April 2004 Page: 25 of 44

Configuration Guide

Check the status on CES2. Note that the frames are now captured as the capture start has been
triggered by the FTP traffic :

Captured frames: 107
CES#
Start the Telnet session from PC to CES2:
C:\>telnet 192.168.20.2
Login: admin
Password:
CES>exit
Check the capture status again. Note the state of the capture has changed to Stopped by stop
trigger. Telnet traffic has triggered the stop capture:

Capture state: STOPPED by stop trigger
Captured frames: 188
CES#
CG031208 2.00 April 2004 Page: 26 of 44

Configuration Guide

Save the capture in to the file (test2.cap) on disk:
CES#capture test-trigger save test2.cap

Saving capture test-trigger to file /ide0/test2.cap please wait . . .
CES#
Download the capture from the CES2 via FTP:
User (192.168.20.2:(none)): admin
Password:
230 User logged in
ftp> bin
ftp> get test2.cap
200 Port set okay
ftp> quit
Decrypt the capture in to the new file (outTest2.cap). When asked enter the password that was
selected to protect the capture (1qazxsw2 in this example):

Password:
CG031208 2.00 April 2004 Page: 27 of 44

Configuration Guide

Open the decrypted trace in the Ethereal or similar software. Note the capture of traffic stared
with the first FTP packet:
And ended with the first Telnet traffic:
PCAP on the physical interfaces using Filters and Direction

Let’s configure the capture object that will capture only inbound ftp traffic.
Create a new capture object (test-filter-in) on the FastEthernet interface on CES2:
CES#capture add test-filter-in FastEthernet 0/1

CES#
CG031208 2.00 April 2004 Page: 28 of 44

Configuration Guide

Enter the capture configuration mode for the created capture object:
CES#capture test-filter-in
Set the direction for the capture to inbound:
CES(capture-ethernet)#direction inbound
Set the filter to capture FTP traffic only:
CES(capture-ethernet)#filter "permit FTP"

Exit the capture configuration menu:
CES#
Start the capture:
CES#capture test-filter-in start

CES#
Issue a continuous ping from the PC to the CES2:
C:\>ping 192.168.20.2 -t

…
CG031208 2.00 April 2004 Page: 29 of 44

Configuration Guide

Check the capture status. Note the set inbound direction, applied capture filter and numbers for
the captured frames (zero) and filter discarded frames:
CES#show capture test-filter-in

Captured frames: 0
Capturing direction: INBOUND
Capture filter applied: permit FTP
Capturing non-ip frames: DISABLED
Capture filter discards: 25
CES#
Start an FTP session to CES2 and issue a dir command while FTP:
User (192.168.20.2:(none)): admin
Password:
230 User logged in
ftp> dir
200 Port set okay
150 Opening ASCII mode data connection
-rwxrwxrwx 1 owner group 379020 Oct 27 10:01 BOOTROM.SYS
drwxrwxrwx 1 owner group 512 Aug 18 15:34 V04_80.058
drwxrwxrwx 1 owner group 512 Sep 24 10:00 V04_75.124
drwxrwxrwx 1 owner group 512 Oct 1 16:22 V03_50.44
drwxrwxrwx 1 owner group 512 Oct 27 10:01 SYSTEM
drwxrwxrwx 1 owner group 512 Oct 24 10:03 V04_80.124
-rwxrwxrwx 1 owner group 16788 Oct 28 15:50 TEST2.CAP
-rwxrwxrwx 1 owner group 948 Oct 28 15:00 TEST1.CAP
ftp> quit
CG031208 2.00 April 2004 Page: 30 of 44

Configuration Guide

Check the capture status. Note a non-zero number of captured frames:
CES#show capture test-filter-in

Captured frames: 20
Capturing direction: INBOUND
Capture filter applied: permit FTP
Capturing non-ip frames: DISABLED
Capture filter discards: 329
CES#
Stop the capture:
CES#capture test-filter-in stop

CES#
Save the capture to a file (test3.cap) on disk:
CES#capture test-filter-in save test3.cap

Saving capture test-filter-in to file /ide0/test3.cap please wait . . .
CES#
Download the capture from the CES2:
User (192.168.20.2:(none)): admin
Password:
230 User logged in
ftp> bin
ftp> get test3.cap
200 Port set okay
ftp> quit
CG031208 2.00 April 2004 Page: 31 of 44

Configuration Guide

Using openpcap tool and password selected for the capture (1qazxsw2 is used in this example)
decrypt the trace in to a new file (outTest3.cap):

Password:
Open a capture using Ethereal or similar software. Note only the inbound FTP traffic has been
captured:
PCAP on Global/Raw IP in mixed environment of tunnels and

private physical interfaces
Let’s configure a capture object to capture all Raw IP traffic.
Create a new capture object (test-raw-ip) for global capture:
CES#capture add test-raw-ip global

CES#
Start the capture on CES2:
CES#capture test-raw-ip start

CES#
CG031208 2.00 April 2004 Page: 32 of 44

Configuration Guide

Bring the BO tunnel up by pinging from the CES2 private interface to the CES1 private side
(192.168.10.1):
CES#ping 192.168.10.1
CES#
Issue a ping from PC to the CES2 private interface:
C:\>ping 192.168.20.2
Request timed out.
Ping statistics for 192.168.20.2:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Stop the capture:
CES#capture test-raw-ip stop

CES#
Save the capture to a file (test4.cap) on the disk:
CES#capture test-raw-ip save test4.cap

Saving capture test-raw-ip to file /ide0/test4.cap please wait . . .
CES#
CG031208 2.00 April 2004 Page: 33 of 44

Configuration Guide

Download the capture:
User (192.168.20.2:(none)): admin
Password:
230 User logged in
ftp> bin
ftp> get test4.cap
200 Port set okay
ftp> quit
Decrypt the capture in a new file (outTest4.cap) using openpcap tool and the selected for the
capture password (1qazxsw2 in this example):
D:\tmp\openpcap\128>openpcap test4.cap outTest4.cap

Password:
CG031208 2.00 April 2004 Page: 34 of 44

Configuration Guide

Open the decrypted capture with Ethereal or similar software. Note the tunnel establishment
packets are captured, ICMP traffic inside the tunnel is captured, ICMP traffic outside the tunnel is
captured:
CG031208 2.00 April 2004 Page: 35 of 44

Configuration Guide
PCAP on tunnel using user ID

Let’s configure a capture object to capture the tunnel traffic only from a specific user ID.
Create a new capture object (test-user) for the user tunnel:
CES#capture add test-user tunnel

CES#
Enter the capture configuration mode for the capture object:
CES#capture test-user
Set the user ID (useripsec) for the tunnel to be captured and exit the capture configuration mode:
CES(capture-tunnel)#userid useripsec
CES(capture-tunnel)#exit
CES#
Start the capture:
CES#capture test-user start

CES#
Bring the BO connection up by pinging from the CES1 private side to the CES2 private side:
CES#ping 192.168.10.1
CES#
CG031208 2.00 April 2004 Page: 36 of 44

Configuration Guide

Initiate a VPN session from the WS to the CES2:
Once VPN connection has been established ping CES2 private IP (192.168.20.20) from WS:
C:\>ping 192.168.20.20
Reply from 192.168.20.20: bytes=32 time=10ms TTL=64
Stop the capture:
CES#capture test-user stop

CES#
CG031208 2.00 April 2004 Page: 37 of 44

Configuration Guide

Save the capture into a file (test5.cap) on disk:
CES#capture test-user save test5.cap

Saving capture test-user to file /ide0/test5.cap please wait . . .
CES#
Download the encrypted capture from the CES2:
User (192.168.20.2:(none)): admin
Password:
230 User logged in
ftp> bin
ftp> get test5.cap
200 Port set okay
ftp> quit
Decrypt the trace in to a new file (outTest5.cap) using openpcap and the password (1qazxsw2 in
this example):

Password:
CG031208 2.00 April 2004 Page: 38 of 44

Configuration Guide

Open the decrypted trace with Ethereal or similar software. Note only the traffic for the tunnel with
configured user id was captured, in our case only the user tunnel traffic was captured, no BO
tunnel traffic has been captured:
CG031208 2.00 April 2004 Page: 39 of 44

Configuration Guide
PCAP on tunnel using Remote IP

Let’s configure a capture object to capture only the tunnel with specific remote IP.
Create a new capture object (test-remote-ip) to capture tunnel interface:
CES#capture add test-remote-ip tunnel

CES#
Enter the configuration mode for the capture:
CES#capture test-remote-ip
Set the remote IP to the CES1 public interface (192.168.100.1) and exit the capture configuration
mode:
CES(capture-tunnel)#remoteip 192.168.100.1
CES(capture-tunnel)#exit
CES#
Start the capture:
CES#capture test-remote-ip start

CES#
Start the VPN session as in the previous example.
CG031208 2.00 April 2004 Page: 40 of 44

Configuration Guide

Ping from WS to the CES2 private side:
C:\>ping 192.168.20.20
Bring the BO tunnel up by pinging from CES2 to CES1 management IP:
CES#ping 192.168.10.1
CES#
Ping from WS to the CES2 private side again.
Stop the capture:
CES#capture test-remote-ip stop

CES#
Save the capture into a file (test6.cap) on the disk:
CES#capture test-remote-ip save test6.cap

Saving capture test-remote-ip to file /ide0/test6.cap please wait . . .
CES#
CG031208 2.00 April 2004 Page: 41 of 44

Configuration Guide

Download the encrypted capture from the CES2:
User (192.168.20.2:(none)): admin
Password:
230 User logged in
ftp> bin
ftp> get test6.cap
200 Port set okay
ftp> quit
Decrypt the trace with the openpcap tool and a password selected to protect the capture
(1qazxsw2 in this example):

Password:
Open a trace with Ethereal or similar software. Note only traffic inside the tunnel with the
configured remote IP has been captured, in our case only traffic inside the BO has been
captured:
CG031208 2.00 April 2004 Page: 42 of 44

Configuration Guide

Check all the configured capture objects on CES2:
CES#show capture
Name Type Size Buffer use Count State
test-fast ETHERNET 1048576 0% 10 STOPPED
test-filter-in ETHERNET 1048576 0% 20 STOPPED
test-raw-ip GLOBAL 1048576 0% 33 STOPPED
test-remote-ip TUNNEL 1048576 0% 9 STOPPED
test-trigger ETHERNET 1048576 1% 188 STOPPED by stop
trigger
test-user TUNNEL 1048576 0% 56 STOPPED
CES#
Once all the tests are done, disable the capture on CES2 globally (Note: This will remove all the
configured capture objects and free the memory used to store them):

CES#
The saved captures will be stored on the disk until they are specifically deleted:
CES#dir
Directory of /ide0/
<DIR> /ide0/
<DIR> TUE OCT 28 18:32:12 2003 .
<DIR> TUE OCT 28 18:32:12 2003 ..
379020 MON OCT 27 10:01:16 2003 BOOTROM.SYS
<DIR> MON OCT 27 10:01:44 2003 SYSTEM
948 TUE OCT 28 15:00:30 2003 TEST1.CAP
16788 TUE OCT 28 15:50:40 2003 TEST2.CAP
1652 TUE OCT 28 16:17:44 2003 TEST3.CAP
4548 TUE OCT 28 16:58:48 2003 TEST4.CAP
4436 TUE OCT 28 18:12:50 2003 TEST5.CAP
788 TUE OCT 28 18:33:18 2003 TEST6.CAP
<DIR> WED OCT 01 16:22:38 2003 V03_50.44
<DIR> FRI SEP 19 14:24:20 2003 V04_00.881
<DIR> WED SEP 03 09:28:00 2003 V04_05.070
<DIR> WED SEP 24 10:22:20 2003 V04_70.120
<DIR> WED SEP 24 10:00:22 2003 V04_75.124
<DIR> MON AUG 18 15:34:54 2003 V04_80.058
<DIR> FRI OCT 24 10:03:10 2003 V04_80.124
CES#
CG031208 2.00 April 2004 Page: 43 of 44

Configuration Guide
Copyright © 2005 Nortel Networks Limited - All Rights Reserved. Nortel, Nortel Networks, the Nortel logo, Globemark, and
Contivity are trademarks of Nortel Networks Limited.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks Limited.
To access more technical documentation, search our knowledge base, or open a service request online, please visit
Nortel Networks Technical Support on the web at: http://www.nortel.com/support
If after following this guide you are still having problems, please ensure you have carried out the steps exactly as in this
document. If problems still persist, please contact Nortel Networks Technical Support (contact information is available
online at: http://www.nortel.com/cgi-bin/comments/comments.cgi?key=techsupport_cu).
We welcome you comments and suggestions on the quality and usefulness of this document. If you would like to leave a
feedback please send your comments to: CRCONT@nortel.com
Author: Kristina Senkova
CG031208 2.00 April 2004 Page: 44 of 44

Configuration Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide

Uploaded by

Copyright:

Available Formats

Configuration Guide

Contivity Secure IP Services Gateway

Packet Capture on Contivity (PCAP)

CG031208 2.00 April 2004 Page: 1 of 44

Packet Capture on Contivity (PCAP)

CG031208 2.00 April 2004 Page: 2 of 44

Packet Capture on Contivity (PCAP)

CG031208 2.00 April 2004 Page: 3 of 44

Packet Capture on Contivity (PCAP)

Configuration and capture

Welcome to the Contivity Secure IP Services Gateway

Please enter the administrator's user name: admin

Main Menu: System is currently in NORMAL mode.

Please select a menu choice (1 - 9,B,P,C,L,R,E): l

CG031208 2.00 April 2004 Page: 4 of 44

Packet Capture on Contivity (PCAP)

Enter the new password for the administrator:

CES(config)#adminname admin password <new password>

Exit the configuration mode to save the changes:

The administrator will now have a new password.

Enabling the capture globally

CG031208 2.00 April 2004 Page: 5 of 44

Packet Capture on Contivity (PCAP)

CES#no capture enable

Note: No other capture command is available until PCAP is enabled globally.

Adding a new capture object

To view the possible sources for the capture:

CES#capture add nameOfTheCapture ?

CES#capture add nameOfTheCapture FastEthernet 0/1 size 32768

CG031208 2.00 April 2004 Page: 6 of 44

Packet Capture on Contivity (PCAP)

Configuring capture object

Setting the Direction

Setting the Filter

CG031208 2.00 April 2004 Page: 7 of 44

Packet Capture on Contivity (PCAP)

Setting the Length

Setting the Persistence (tunnels only)

CG031208 2.00 April 2004 Page: 8 of 44

Packet Capture on Contivity (PCAP)

Setting the Promiscuous Mode (FastEthernet only)

CES(capture-ethernet)#no promiscuous enable

Setting the Remote IP (tunnels only)

Setting the Trigger

CES(capture-tunnel)#trigger start "permit Telnet"

CES(capture-tunnel)#trigger stop "permit FTP"

CES(capture-tunnel)#no trigger stop

CG031208 2.00 April 2004 Page: 9 of 44

Packet Capture on Contivity (PCAP)

Setting the Type (tunnels only)

CES(capture-tunnel)#type initiator l2tp

CES(capture-tunnel)#type user ipsec

CG031208 2.00 April 2004 Page: 10 of 44

Packet Capture on Contivity (PCAP)

Setting the User ID (tunnels only)

Setting the Wrapping parameter

CES(capture-tunnel)#no wrapping enable

Exiting the capture configuration mode

Starting, Stopping and Clearing the capture

CES#capture nameOfTheCapture start

CG031208 2.00 April 2004 Page: 11 of 44

Packet Capture on Contivity (PCAP)

CES#capture nameOfTheCapture stop