Firewall Wizards mailing list archives
Analyzing a Cisco firewalls connection table
From: Tim Eberhard <xmin0s () gmail com>
Date: Thu, 10 Dec 2009 18:50:39 -0600
All, After searching around for something to do this for me I ended up coming up short (I found one proof of concept that was old and I couldn't get to work) so I ended up writing one on my own. Several years ago I did the same for Netscreen firewalls and I wrote a program called NSSA - Netscreen Session Analyzer. It's been used by people all over the world and people seem to get a lot of use out of it. Given the success I had releasing NSSA I am also going to go ahead and release CCA - Cisco Connection Analyzer. This is a *very* beta release that I've honestly only tested on a single 5540 ASA running 7.2 code. Other hardware (Pix, FWSM..etc) and other versions of software MAY not work.. but I would love to hear if it doesn't so I can get it working. I encourage you Cisco guys to check it out. There are some useful reports you can generate and better help you understand whats going through the firewall real time. We often use this to troubleshoot abnormal connection levels or high CPU. It is in .exe format and is completely virus free. It requires no internet connection. Please give it a try and give me some feedback good/bad/ugly. You can download a copy here: performanceclassifieds.net/CCA.rar Thanks all, -Tim Eberhard Here is an example of the output: Top 10 Source IP addresses: Number of Connections - IP Address 4 - 192.141.224.77 (21.05 Percent) 1 - 192.236.83.33 (5.26 Percent) 1 - 192.234.184.23 (5.26 Percent) 1 - 192.231.21.53 (5.26 Percent) 1 - 192.230.242.122 (5.26 Percent) 1 - 192.216.159.103 (5.26 Percent) 1 - 192.211.159.77 (5.26 Percent) 1 - 192.196.151.143 (5.26 Percent) 1 - 192.174.95.192 (5.26 Percent) 1 - 192.151.229.169 (5.26 Percent) Top 10 Destination IP addresses: Number of Connections - IP Address 5 - 90.80.240.218 (26.32 Percent) 5 - 90.80.225.61 (26.32 Percent) 2 - 90.80.246.64 (10.53 Percent) 2 - 90.80.240.217 (10.53 Percent) 1 - 90.80.246.96 (5.26 Percent) 1 - 90.80.246.35 (5.26 Percent) 1 - 90.80.246.155 (5.26 Percent) 1 - 90.80.246.125 (5.26 Percent) 1 - 90.80.225.39 (5.26 Percent) Top 10 Source Ports:: Number of Connections - Port - Possible Service 6 - 8502 (Not listed) (31.58 Percent) 1 - 50001 (Not listed) (5.26 Percent) 1 - 3085 (pcihreq PCIHReq) (5.26 Percent) 1 - 3084 (itm-mccs ITM-MCCS) (5.26 Percent) 1 - 3080 (stm_pproc stm_pproc) (5.26 Percent) 1 - 3062 (ncacn-ip-tcp ncacn-ip-tcp) (5.26 Percent) 1 - 25821 (Not listed) (5.26 Percent) 1 - 20595 (Not listed) (5.26 Percent) 1 - 1188 (hp-webadmin HP Web Admin) (5.26 Percent) 1 - 1069 (cognex-insight COGNEX-INSIGHT) (5.26 Percent) Top 10 Destination Ports: Number of Connections - Port - Possible Service 7 - 80 (World Wide Web HTTP) (36.84 Percent) 5 - 4035 (wap-push-http WAP Push OTA-HTTP port) (26.32 Percent) 2 - 49252 (Not listed) (10.53 Percent) 1 - 50000 (Not listed) (5.26 Percent) 1 - 49259 (Not listed) (5.26 Percent) 1 - 49258 (Not listed) (5.26 Percent) 1 - 49254 (Not listed) (5.26 Percent) 1 - 49253 (Not listed) (5.26 Percent) Top 10 Protocols Used: Number of Connections - Protocols 12 - TCP (63.16 Percent) 7 - UDP (36.84 Percent) Top 10 TCP Flag State: Number of connections - TCP Flag 12 - (Up) U (28.57 Percent) 12 - ( initial SYN from outside ) B (28.57 Percent) 5 - ( Outbound Data ) O (11.9 Percent) 5 - ( inbound data ) I (11.9 Percent) 4 - ( inside FIN ) f (9.52 Percent) 2 - ( outside FIN ) F (4.76 Percent) 1 - ( inside acknowledged FIN ) r (2.38 Percent) 1 - ( outside acknowledged FIN ) R (2.38 Percent) 7 - UB 7 - - 1 - UfrIOB 1 - UfIOB 1 - UfFRIOB 1 - UfFIOB 1 - UIOB Top 10 Talkers by total bandwidth: Source IP: 192.234.184.23 -- Destination IP: 90.80.240.218 Bytes Transfered: 113952 Uptime: 20m19s -Bytes/sec: 93.48 Source IP: 11.181.137.65 -- Destination IP: 90.80.246.125 Bytes Transfered: 38609 Uptime: 10m19s -Bytes/sec: 62.37 Source IP: 192.148.19.11 -- Destination IP: 90.80.246.64 Bytes Transfered: 10994 Uptime: 46s -Bytes/sec: 239.0 Source IP: 192.141.224.77 -- Destination IP: 90.80.240.217 Bytes Transfered: 6925 Uptime: 14m18s -Bytes/sec: 8.07 Source IP: 11.44.153.246 -- Destination IP: 90.80.240.218 Bytes Transfered: 4590 Uptime: 1m5s -Bytes/sec: 70.62 Source IP: 192.151.229.169 -- Destination IP: 90.80.240.218 Bytes Transfered: 3707 Uptime: 19s -Bytes/sec: 195.11 Source IP: 192.174.95.192 -- Destination IP: 90.80.246.96 Bytes Transfered: 941 Uptime: 32s -Bytes/sec: 29.41 Source IP: 192.141.109.162 -- Destination IP: 90.80.246.35 Bytes Transfered: 941 Uptime: 1m0s -Bytes/sec: 15.68 Source IP: 192.236.83.33 -- Destination IP: 90.80.225.39 Bytes Transfered: 751 Uptime: 1m20s -Bytes/sec: 9.39 Source IP: 192.141.224.77 -- Destination IP: 90.80.225.61 Bytes Transfered: 595 Uptime: 2m44s -Bytes/sec: 3.63 Top 10 Talkers by bytes a second: Source IP: 192.148.19.11 -- Destination IP: 90.80.246.64 Bytes Transfered: 10994 Uptime: 46s -Bytes/sec: 239.0 Source IP: 192.151.229.169 -- Destination IP: 90.80.240.218 Bytes Transfered: 3707 Uptime: 19s -Bytes/sec: 195.11 Source IP: 192.234.184.23 -- Destination IP: 90.80.240.218 Bytes Transfered: 113952 Uptime: 20m19s -Bytes/sec: 93.48 Source IP: 11.44.153.246 -- Destination IP: 90.80.240.218 Bytes Transfered: 4590 Uptime: 1m5s -Bytes/sec: 70.62 Source IP: 11.181.137.65 -- Destination IP: 90.80.246.125 Bytes Transfered: 38609 Uptime: 10m19s -Bytes/sec: 62.37 Source IP: 192.174.95.192 -- Destination IP: 90.80.246.96 Bytes Transfered: 941 Uptime: 32s -Bytes/sec: 29.41 Source IP: 192.141.109.162 -- Destination IP: 90.80.246.35 Bytes Transfered: 941 Uptime: 1m0s -Bytes/sec: 15.68 Source IP: 192.236.83.33 -- Destination IP: 90.80.225.39 Bytes Transfered: 751 Uptime: 1m20s -Bytes/sec: 9.39 Source IP: 192.141.224.77 -- Destination IP: 90.80.240.217 Bytes Transfered: 6925 Uptime: 14m18s -Bytes/sec: 8.07 Source IP: 192.141.224.77 -- Destination IP: 90.80.225.61 Bytes Transfered: 595 Uptime: 2m44s -Bytes/sec: 3.63
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Analyzing a Cisco firewalls connection table Tim Eberhard (Dec 14)
- Re: Analyzing a Cisco firewalls connection table Paul D. Robertson (Dec 14)
- Re: Analyzing a Cisco firewalls connection table Carson Gaspar (Dec 14)
- Re: Analyzing a Cisco firewalls connection table Tim Eberhard (Dec 15)
- Re: Analyzing a Cisco firewalls connection table Paul D. Robertson (Dec 14)