Replies: 2 comments 4 replies
-
|
High level network topology |
Beta Was this translation helpful? Give feedback.
-
|
Is SO reporting any packet loss or capture loss? |
Beta Was this translation helpful? Give feedback.
-
This is with just the CRS sensor running. I've re-enabled the RB sensor so will re-evaluate tomorrow. Thanks for your reply. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, so I think i've made some progress. The SSH session which wasn't being detected - I closed it and re-started it. I was conscious that the session was most likely open before the SO box was deployed. So now I do see some stuff relating to this connection, but I am still not convinced it's everything, but perhaps that is my lack of knowledge in using the tool. As a side note, I did make another change - I removed sfp+1 from the mirror going from CRS328 to SO. Now that sensor is all of the physical ether* ports on the CRS only, not the trunk interface itself. Felt like duplication. |
Beta Was this translation helpful? Give feedback.
-
|
Have you tried to drill into a network flow with the |
Beta Was this translation helpful? Give feedback.
-
|
Not yet - but this seems to be a good thing to try out. Will let you know how I get on. Thanks. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.180
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Standalone
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
6
RAM
32GB
Storage for /
500gb
Storage for /nsm
500gb
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Hi everyone. First time using SO and first time posting here. I've had a skim through the faq etc. but I think my issue is more fundamental.
Context:
Home lab. Two sensors. 1gbe from Mikrotik RB5009 (WAN router, L3 filters between internal VLANs, 10gbe vlan trunk to switch), other sensor is 10gbe from Mikrotik CRS328 switch (operating mainly as Layer 2 device with VLANs). SO server is a Dell T20 server, 32gb ram, Intel X520 with 10gbe SFP+ to CRS328. HP/Intel NC360T for 1gbe connection to RB5009.
Intent is to do full E2E inspection of flows, all the way from the WAN interface, to switch ports on the CRS.
RB5009 has WAN/PPPOE port spanned to SO sensor over 1gbe. Ingress & Egress.
CRS328 has all ethernet ports including vlan trunk spanned to SO sensor over 10gbe. Ingress & Egress.
SO is picking up some flows, but is missing.
Example: SSH between internal VLANs is picked up (specifically from my management workstation to the SO host). However SO isn't picking up SSH from same workstation to an internet target.
tcpdump on the SO box is seeing all the packets.
No filters configured that I am aware of.
I suspect it's a mirroring / duplication / sequencing issue. I do have a packet broker (Gigamon), but not currently using it (and would prefer not to if I don't need to).
I can provide more config / logs / info as required if someone is willing to school this noob. I suspect it's something basic!
Thank you in advance.
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions