DeepSweep™ Tutorial Single-port
Contents
1. Using the same process add another Subject ID the fixed IP address 20 Click New for another new Subject ID 21 Select IPv4 Identifier Type 22 Enter 111 222 33 44 for this example 23 Click OK DeepSweep Mozilla Firefox SEE File Edit View Go Bookmarks Tools Help i P DeepSweep a b ri CS Hetwork Surveillance System Make SM Admin Make SA Run Help Identifier Type Identifier IPv4 IPv4 Address 111 222 33 44 Controller OK Cancel ias_ctrl IAS Controller Surveillance Module copyright 2006 2007 IP Fabrics Inc You are returned to the IAS Controller configuration page Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 14 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example This is how the page should now appear DeepSweep Mozilla Firefox File Edit View Go Bookmarks Tools Help i P DeepSweep a b rics Hetwork Surveillance System Make SM example case 1 Controller MAC 11 22 33 44 55 66 A IPyd 111 222 33 a 1921684358 5550 UDP e 1921684358 so UDP v IAS Controller Surveillance Module copyright 2006 2007 IP Fabrics Inc Bone y ERREUR Cornell 1 None v IP Fabrics 4 4 4 We are done defining the information for the IAS Controller SM one case with two subject IDs Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 12. below it 7 Click OK The selected icon will appear in the definition area in the lower part of the screen single port example DeepSweep Mozilla Firefox File Edit View Go Bookmarks Tools Help i P DeepSweep abrics Network Surveillance System Admin Make SM Known SAs Simple Connections ED Et ED TE SM Actions 1 4 independent 1 2pairor inputs independent inputs Click ona PIX EQ TEJ Mcgee 5 Select Configuration configuration picture PIXL 0 above and press the OK button to select it Click on PIXL to go to the definitions of the chains ias_surveillance_SA Surveillance Assembly copyright 2006 2007 IP Fabrics Inc Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 19 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Next we will place the SMs on the chain In this case both SMs go onto the single chain 8 Click on the PIXL 0 chains icon box at the lower left of the page This will take you to the SM Chains definition page 9 Use the drop down menus to match the example screen image ias_ctrl in the top first slot most chain and ias_content in the second slot 10 Click OK single port example DeepSweep Mozilla Firefox DeepSweep Network Surveillance System las _ v TEETE v ISE amd ze om On Miss ias_content ont ET on miss ias_surveillance_SA Surveillance
3. Fabrics Empowering Network Processors DeepSweep Tutorial Single port T1_IAS Example June 2007 Copyright IP Fabrics Inc 2007 IP Fabrics Inc 14964 NW Greenbrier Parkway Beaverton OR 97006 503 444 2400 503 444 2401 FAX www ipfabrics com DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Information in this document is furnished in connection with IP Fabrics products No license express or implied to any intellectual property rights is granted by this document This document and the software described in it are furnished under license and may only be used or copied in accordance with the terms of the license Copyright 2007 IP Fabrics Inc All rights reserved Packet Processing Language PPL PPL VM and DeepSweep are owned and copyrighted by IP Fabrics Inc Microsoft Windows and Windows XP are registered trademarks of Microsoft Corporation Linux is a registered trademark of Linus Torvalds Red Hat is a registered trademark of Red Hat Inc MontaVista is a registered trademark of MontaVista Software Inc Intel and Pentium are registered trademarks of Intel Corporation Other brands trademarks and names are property of their respective owners Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 2 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Introductio
4. From fmm dd yyyy Content ARTE End date Collection Interface IP Address Port Protocol Cmil TCF ias_ctrl CmC IAS Controller Surveillance Module copyright 2006 2007 IP Fabrics Inc Help SM Attributes IAP SystemlD name SystemiD Required Continuation report interval None v Protocols to watch check one or more RADIUS C Diameter DHCP PPP Discovery PPP CHAP PPPAPCP Special Conditions check any that apply O Watch RADIUS non standard Port d Watch RADIUS non standard Acc Port SM is running if lit One or more cases are active if lit OK Cancel Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 9 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics First we will enter the SM Attributes information This is the information on the right side of the page 7 Enter Cornell 1 as the IAP system ID Same as in the other SM definition 8 Check uncheck the protocol boxes so as to leave only DHCP to watch It would be acceptable to check the other protocol boxes too but we leave them unchecked since we know we only care about DHCP in this example 9 Click OK DeepSweep Mozilla Firefox File Edit View Go Bookmarks Tools Help i P DeepSweep a b rics Network Surveillance System Make SM Cornell 1 in d v ll d d ias_ctrl IAS Controller Surveillance Module copyright 2006 2007 IP Fabr
5. 43 58 SM is running if lit ias_ctrl CmC192 168 43 58 One or more cases are active if lit IAS Controller Surveillance Module Cancel copyright 2006 2007 IP Fabrics Inc Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 12 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Next we will make several subject ID entries for this case In this example case we will watch for DHCP assigning an IP address to a known MAC address We will watch a known fixed IP address 17 Click on the New button in the middle of the IAS Controller page near the text Selected Case Case Information This takes you to a screen for entry of Subject Identifiers 18 Select MAC as Identifier Type and enter a MAC address We use 11 22 33 44 55 66 in the example 19 Click OK DeepSweep Mozilla Firefox SEE File Edit View Go Bookmarks Tools Help i P DeepSweep a b ri CS Hetwork Surveillance System Make SM Admin Make SA Run Identifier Type Identifier MAC MAC Address s 11 22 33 44 55 66 Controller OK Cancel ias_ctrl IAS Controller Surveillance Module copyright 2006 2007 IP Fabrics Inc This returns you to the IAS Controller configuration page Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 13 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics
6. Assembly copyright 2006 2007 IP Fabrics Inc This completes the configuration of the Surveillance Assembly Now you are ready to RUN the SA Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 20 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Step 7 Run the ias_ surveillance SA Surveillance Assembly Let s run the SA 1 Select the Run tab at the top of the page 2 Select ias_surveillance_SA from the drop down menu on the left side of the gray area 3 Click Start button You should see several changes in the Messages and Status boxes Finally the system will display RUNNING and the Messages display should show OK DeepSweep Mozilla Firefox File Edit View Go Bookmarks Tools Help i P DeepSweep a rics Hetwork Surveillance System Control ss No Exceptions fes_survomence_SA Default SA after reboot Seo er STE Disk space used Surveillance Assembly 2 copyright 2006 2007 IP Fabrics Inc Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 21 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Step 8 Return to ias_ctrl SM We now have a running Surveillance Assembly If we return to the configuration page for the IAS Controller we will see some indication of this 1 Click Make SM tab 2 Select the ias_ctrl S
7. IAS Content SM Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 7 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Step 4 Define ias_ctrl Surveillance Module Create the second SM which will be named ias_ ctrl This will be a different type of SM IAS Controller but the process is similar Click Make SM tab Click New button Select IAS Controller from the SM type menu Click in blank box labeled SM name Enter the string ias_ctrl Click OK button RU a DeepSweep Mozilla Firefox File Edit View Go Bookmarks Tools Help IP DeepSweep Hetwork Surveillance System Make SM IAS Controller Surveillance Module copyright 2006 2007 IP Fabrics Inc This takes you to the configuration page for this SM type Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 8 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics There is a single setup screen for this SM definition Initially this screen will be as below DeepSweep Mozilla Firefox File Edit View Go Bookmarks Tools Help g P DeepSweep a b ri CS Hetwork Surveillance System Make SM Admin Make SA Defined cases case ID Controller Selected Case Case Information Subscribers subjects Type ID Active if lit Intercept Information To Start date
8. P DeepSweep a b ri CS Hetwork Surveillance System Make SA Admin Make SM Run Help Surveillance Assembly name ias_surveillance_ SA OK Cancel Surveillance Assembly copyright 2006 2007 IP Fabrics Inc This takes you to the first configuration page for this SA Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 17 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics You will see the Simple Connections page single port example DeepSweep Mozilla Firefox Ele Edt Yew Go Bookmarks loos Help i P DeepSweep abrics Network Surveillance System Make SA Simple Connections Come 1 4 independent 1 2 pair of independent inputs Click ona PIXL button the PIXL 0 then choose Select Configuration configuration configuration picture PIXL 0 from the above and press the options above OK button to select it Click on PIXL to go to the definitions of the chains ias_surveillance_SA Surveillance Assembly copyright 2006 2007 IP Fabrics Inc Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 18 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Select the topology for the first PIXL 0 5 Click button labeled PIXL 0 6 Click on the icon that is on the left of the set across the top It has the descriptive text 1 4 pair of independent inputs
9. ri CS Hetwork Surveillance System Make SM Admin Make SA Run Help SM name ias_content SM type OK Cancel Surveillance Module copyright 2006 2007 IP Fabrics Inc This takes you to the configuration page for this SM type Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 6 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Now we will configure the IAS Content SM with the specific criteria this specific SM will use There is only a single configuration screen for this SM type 7 Enter las ctrl as the associated IAS controller This SM name does not exist in the system since we have not defined it yet That is OK We will do that next When we are done this name must match the name of the IAS controller from which IAS content SM will listen for its instructions 8 Enter Cornell 1 as the IAP system ID This can be any identifying string you desire and will be reported in some of the T1 1AS messages to an LEA collector software system 9 Leave the other check boxes as they are shown here 10 Click OK DeepSweep Mozilla Firefox File Edit View Go Bookmarks Tools Help IP DeepSweep Fa b rics Hetwork Surveillance System Make SM Make SA Content a Cornell 1 v ias_content IAS Content Surveillance Module copyright 2006 2007 IP Fabrics Inc This completes the configuration of the
10. 2 168 43 50 If you are running the DeepSweep with a locally attached display keyboard and mouse then use http 127 0 0 1 Step 2 Login If you have set up a user account already then do use it to log in If you have not yet set up a user account then use admin account with the default as shipped password ipfabrics These are all lower case You can set up your own account later by following the instructions in the user manual Note that some screens may be different for admin vs a non admin user name Deephenep Mozilla Firefox Ale Edt View Go Bodmvks Took Han IP DeepSweep Fabrics Network Suneellince Geste Make SM MokeSA Rur Log in to DeepSweep User bd Password OF Cancel Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 5 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Step 3 Define ias_content Surveillance Module SM This is the first of two Surveillance Modules SM you will need to define for the tutorial This SM will be of type IAS Content and will be watching the content packet stream Click Make SM tab Click New button Select IAS Content from the SM type menu Click in blank box labeled SM name Enter the string ias content Click OK button ore ys DeepSweep Mozilla Firefox Sel File Edit View Go Bookmarks Tools Help fi P DeepSweep a b
11. 5 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Step 5 Construct las_ surveillance SA Surveillance Assembly In this step we will construct the Surveillance Assembly SA that combines the two Surveillance Modules SMs that we just defined into a system of instances and interconnections For this SA we will take packets arriving at port EO to be input to both the IAS Controller SM and IAS Content SM We will do nothing with packets on the other interfaces We begin by defining a new SA named ias_surveillance_SA 1 Click on Make SA tab DeepSweep Mozilla Firefox File Edit View Go Bookmarks Tools Help i P DeepSweep a b ri CS Hetwork Surveillance System Make SA Admin Make SM Run Help Current default Known SAs Defined Surveillance Assemblies S31 defSS TER Delete Edit Check Refresh Status of Surveillance Assembly Check Start Time Reno Assembly Name sta Messages re ER fessure safe OK Surveillance Assembly copyright 2006 2007 IP Fabrics Inc Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 16 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics 2 Click on New button 3 Enter text string las surveillance SA into the text box 4 Click OK button DeepSweep Mozilla Firefox Sel File Edit View Go Bookmarks Tools Help i
12. G displayed then this could be due to inadvertent use of TCP in the example Since there is probably no actual live LEA collector function at the IP address used in the example then the use of TCP is problematic Step 10 Accessing data files To access files in the user area you can use SFTP or SCP or a product such as WinSCP to get files after a run The account is ens_administrator and is shipped with the default password ipfabrics See the DeepSweep User s Manual for additional details Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 23
13. M from the list 3 Click Edit button This takes you to the IAS Controller configuration page The SA is running so you will get an indication that this SM is alive and the one or more cases are actually running From here you can add new cases and or subject IDs and they will immediately be made active if within the time window for the the start stop dates on that case In fact we could have created and started the SA and then added the example case and subject IDs afterward 4 Click on the case named example case 1 DeepSweep Mozilla Firefox Sel File Edit View Go Bookmarks Tools Help ee i P DeepSweep a b rics Hetwork Surveillance System Make SM Make SA Run example case 1 a New Cornell 1 SRE MAC 11 22 33 44 55 66 IPv4 111 222 33 44 v aa 1921684358 65600 UDP ias_ctrl 192 168 43 58 55501 JUDP lv IAS Controller Surveillance Module copyright 2006 2007 IP Fabrics Inc Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 22 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Step 9 Stop the T1_IAS Surveillance Assembly To shutdown the SA click on the Control button This takes you back to the Run page Click on the Stop button You should see the system Status go to STOPPING and then to IDLE with the Status of OK NOTE If there is an abnormally long delay with STOPPIN
14. al T1_IAS Surveillance Assembly single port example IP Fabrics We will use one DeepSweep port to watch all DHCP assignments and content traffic One system port GB1 in this example is connected to the network so that a browser has access to the DeepSweep and the other system port GB2 must have access to a path to the collector system of the LEA Of course these could be the same interfaces if one wishes Again this is highly installation dependent In this example we assume that these connections and associated configuration have already been done A step by step tutorial follows Ata high level the process is 1 2 3 MO PEE Open a browser to DeepSweep Log in Define two Surveillance Modules SM one to watch control information and one to watch content Define a Surveillance Assembly SA Start the SA Re examine the IAS Controller once the system is running Stop the running SA Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 4 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics T1_IAS Step by step Instructions Step 1 Point browser to configuration screens Point your browser to the DeepSweep login screen Use HTTPS with the IP address of the DeepSweep Systems have been tested with Microsoft IE and Mozilla Firefox browsers If the DeepSweep IP address has been set to 192 168 43 50 then one would enter the URL as htips 19
15. ics Inc Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 10 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Next we will define a new case 10 Click New button that is near the case section of the page This takes you to a simple screen with a single text entry box 11 Enter example case 1 in the text box 12 Click OK DeepSweep Mozilla Firefox Sel File Edit View Go Bookmarks Tools Help j P DeepSweep a b ri CS Hetwork Surveillance System Make SM Admin Make SA Run Help Case ID Controller example cas e 1 OK Cancel ias_ctrl IAS Controller Surveillance Module copyright 2006 2007 IP Fabrics Inc You will be returned to the IAS Controller definition page Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 11 DeepSweep Tutorial T1_IAS Surveillance Assembly single port example IP Fabrics Now we will define the parameters for this sample case 13 Make sure the newly added case name is highlighted If it is not then click on the name 14 Check the intercept information boxes for To From and Content Note that the start date should be today s date and the end date will be blank Just leave them that way If the start date is not correct then confirm that your System s time zone Is set correctly and possibly that you have a valid path to an NTP time server See the Dee
16. n This document is a simple step by step tutorial that guides you through the stages involved to construct a sample DeepSweep IAS example This example employs a system with a single Packet Inspection Accelerators PIXL that is resident on one Double Espresso DE board This provides dual Gbit Ethernet ports Let s set up the sample scenario We want to capture both identifying information and content for a particular subject We know the MAC address and some other identifying information In this sample system IP addresses are sometimes fixed and sometimes assigned by DHCP Figure 1 depicts a greatly simplified network topology for this example The purpose of this tutorial is to go though the DeepSweep concepts rather than how to set up an ISP It shows the use of a method to provide all packets in a single simplex Ethernet stream Specifically this single stream will contain DHCP controller input and all of content This can be done ina variety of ways such as mirror span port or an aggregating tap This is highly installation dependent Single port T1_IAS Tutorial Example Subject computer Subject computer fixed IP MAC 111 222 33 44 11 22 33 44 55 66 DHCP server EU IAS_Controller LEA Browser IAS_ Content VF VF Internet outside Figure 1 T1_IAS simplified network example Doc rev DSTI1 1 28 12 Copyright IP Fabrics Inc 2007 Page 3 DeepSweep Tutori
17. oSweep User s Manual for more information if this is not set up properly 15 Enter your own safe IP address port number and protocol for both Collection Interfaces Cmil and CmC Be sure to select UDP since there is no actual live LEA collector at the receiving side of this example These are for Communications Identifying Information and Communications Content If you really want to examine the output then these need to be valid IP and port entries They need not be valid to run through the example but if you have the LEA port connected to your network then you should make sure this traffic would not cause a problem 16 Click OK DeepSweep Mozilla Firefox File Edit View Go Bookmarks Tools Help g P DeepSweep a b ri CS Hetwork Surveillance System Make SM Admin Make SA Run Help Defined cases case ID SM Attributes example case 1 New IAP SystemlD name Cornel Controller Delete Continuation report interval None v Selected Case Case Information Protocols to watch check one or more Subscribers subjects LJRADIUS Ty e ID Active if lit C Diameter DHCP o New CI PPF Discovery C PPP CHAP C PPPAPCP Intercept Information Special Conditions check any that apply To 05 11 2007 Start date Watch RADIUS non standard Port From mm dd yyyy Watch RADIUS non standard Acc Port L Content End date Collection Interface IP Address Port Protocol Cmll 192 168
Download Pdf Manuals
Related Search