Firewall Wizards mailing list archives

Analyzing a Cisco firewalls connection table

From: Tim Eberhard <xmin0s () gmail com>
Date: Thu, 10 Dec 2009 18:50:39 -0600

All,

After searching around for something to do this for me I ended up coming up
short (I found one proof of concept that was old and I couldn't get to work)
so I ended up writing one on my own.

Several years ago I did the same for Netscreen firewalls and I wrote a
program called NSSA - Netscreen Session Analyzer. It's been used by people
all over the world and people seem to get a lot of use out of it.

Given the success I had releasing NSSA I am also going to go ahead and
release CCA - Cisco Connection Analyzer. This is a *very* beta release that
I've honestly only tested on a single 5540 ASA running 7.2 code. Other
hardware (Pix, FWSM..etc) and other versions of software MAY not work.. but
I would love to hear if it doesn't so I can get it working.

I encourage you Cisco guys to check it out. There are some useful reports
you can generate and better help you understand whats going through the
firewall real time. We often use this to troubleshoot abnormal connection
levels or high CPU.

It is in .exe format and is completely virus free. It requires no internet
connection. Please give it a try and give me some feedback good/bad/ugly.
You can download a copy here: performanceclassifieds.net/CCA.rar

Thanks all,
-Tim Eberhard

Here is an example of the output:


Top 10 Source IP addresses:
Number of Connections    -    IP Address
4    -    192.141.224.77    (21.05 Percent)
1    -    192.236.83.33    (5.26 Percent)
1    -    192.234.184.23    (5.26 Percent)
1    -    192.231.21.53    (5.26 Percent)
1    -    192.230.242.122    (5.26 Percent)
1    -    192.216.159.103    (5.26 Percent)
1    -    192.211.159.77    (5.26 Percent)
1    -    192.196.151.143    (5.26 Percent)
1    -    192.174.95.192    (5.26 Percent)
1    -    192.151.229.169    (5.26 Percent)

Top 10 Destination IP addresses:
Number of Connections - IP Address
5    -    90.80.240.218  (26.32 Percent)
5    -    90.80.225.61  (26.32 Percent)
2    -    90.80.246.64  (10.53 Percent)
2    -    90.80.240.217  (10.53 Percent)
1    -    90.80.246.96  (5.26 Percent)
1    -    90.80.246.35  (5.26 Percent)
1    -    90.80.246.155  (5.26 Percent)
1    -    90.80.246.125  (5.26 Percent)
1    -    90.80.225.39  (5.26 Percent)

Top 10 Source Ports::
Number of Connections  -  Port -  Possible Service
6    -    8502   (Not listed) (31.58 Percent)
1    -    50001   (Not listed) (5.26 Percent)
1    -    3085   (pcihreq PCIHReq) (5.26 Percent)
1    -    3084   (itm-mccs ITM-MCCS) (5.26 Percent)
1    -    3080   (stm_pproc stm_pproc) (5.26 Percent)
1    -    3062   (ncacn-ip-tcp ncacn-ip-tcp) (5.26 Percent)
1    -    25821   (Not listed) (5.26 Percent)
1    -    20595   (Not listed) (5.26 Percent)
1    -    1188   (hp-webadmin HP Web Admin) (5.26 Percent)
1    -    1069   (cognex-insight COGNEX-INSIGHT) (5.26 Percent)

Top 10 Destination Ports:
Number of Connections  -  Port -  Possible Service
7    -    80   (World Wide Web HTTP) (36.84 Percent)
5    -    4035   (wap-push-http WAP Push OTA-HTTP port) (26.32 Percent)
2    -    49252   (Not listed) (10.53 Percent)
1    -    50000   (Not listed) (5.26 Percent)
1    -    49259   (Not listed) (5.26 Percent)
1    -    49258   (Not listed) (5.26 Percent)
1    -    49254   (Not listed) (5.26 Percent)
1    -    49253   (Not listed) (5.26 Percent)

Top 10 Protocols Used:
Number of Connections  -  Protocols
12    -  TCP  (63.16 Percent)
7    -  UDP  (36.84 Percent)

Top 10 TCP Flag State:
Number of connections  - TCP Flag
12    - (Up)  U  (28.57 Percent)
12    - ( initial SYN from outside )  B  (28.57 Percent)
5    - ( Outbound Data )  O  (11.9 Percent)
5    - ( inbound data )  I  (11.9 Percent)
4    - ( inside FIN )  f  (9.52 Percent)
2    - ( outside FIN )  F  (4.76 Percent)
1    - ( inside acknowledged FIN )  r  (2.38 Percent)
1    - ( outside acknowledged FIN )  R  (2.38 Percent)

7    -  UB
7    -  -
1    -  UfrIOB
1    -  UfIOB
1    -  UfFRIOB
1    -  UfFIOB
1    -  UIOB

Top 10 Talkers by total bandwidth:

Source IP: 192.234.184.23  --  Destination IP: 90.80.240.218
Bytes Transfered: 113952  Uptime:  20m19s    -Bytes/sec: 93.48

Source IP: 11.181.137.65  --  Destination IP: 90.80.246.125
Bytes Transfered: 38609  Uptime:  10m19s    -Bytes/sec: 62.37

Source IP: 192.148.19.11  --  Destination IP: 90.80.246.64
Bytes Transfered: 10994  Uptime:  46s    -Bytes/sec: 239.0

Source IP: 192.141.224.77  --  Destination IP: 90.80.240.217
Bytes Transfered: 6925  Uptime:  14m18s    -Bytes/sec: 8.07

Source IP: 11.44.153.246  --  Destination IP: 90.80.240.218
Bytes Transfered: 4590  Uptime:  1m5s    -Bytes/sec: 70.62

Source IP: 192.151.229.169  --  Destination IP: 90.80.240.218
Bytes Transfered: 3707  Uptime:  19s    -Bytes/sec: 195.11

Source IP: 192.174.95.192  --  Destination IP: 90.80.246.96
Bytes Transfered: 941  Uptime:  32s    -Bytes/sec: 29.41

Source IP: 192.141.109.162  --  Destination IP: 90.80.246.35
Bytes Transfered: 941  Uptime:  1m0s    -Bytes/sec: 15.68

Source IP: 192.236.83.33  --  Destination IP: 90.80.225.39
Bytes Transfered: 751  Uptime:  1m20s    -Bytes/sec: 9.39

Source IP: 192.141.224.77  --  Destination IP: 90.80.225.61
Bytes Transfered: 595  Uptime:  2m44s    -Bytes/sec: 3.63


Top 10 Talkers by bytes a second:

Source IP: 192.148.19.11  --  Destination IP: 90.80.246.64
Bytes Transfered: 10994  Uptime:  46s    -Bytes/sec: 239.0

Source IP: 192.151.229.169  --  Destination IP: 90.80.240.218
Bytes Transfered: 3707  Uptime:  19s    -Bytes/sec: 195.11

Source IP: 192.234.184.23  --  Destination IP: 90.80.240.218
Bytes Transfered: 113952  Uptime:  20m19s    -Bytes/sec: 93.48

Source IP: 11.44.153.246  --  Destination IP: 90.80.240.218
Bytes Transfered: 4590  Uptime:  1m5s    -Bytes/sec: 70.62

Source IP: 11.181.137.65  --  Destination IP: 90.80.246.125
Bytes Transfered: 38609  Uptime:  10m19s    -Bytes/sec: 62.37

Source IP: 192.174.95.192  --  Destination IP: 90.80.246.96
Bytes Transfered: 941  Uptime:  32s    -Bytes/sec: 29.41

Source IP: 192.141.109.162  --  Destination IP: 90.80.246.35
Bytes Transfered: 941  Uptime:  1m0s    -Bytes/sec: 15.68

Source IP: 192.236.83.33  --  Destination IP: 90.80.225.39
Bytes Transfered: 751  Uptime:  1m20s    -Bytes/sec: 9.39

Source IP: 192.141.224.77  --  Destination IP: 90.80.240.217
Bytes Transfered: 6925  Uptime:  14m18s    -Bytes/sec: 8.07

Source IP: 192.141.224.77  --  Destination IP: 90.80.225.61
Bytes Transfered: 595  Uptime:  2m44s    -Bytes/sec: 3.63

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Analyzing a Cisco firewalls connection table Tim Eberhard (Dec 14)
- Re: Analyzing a Cisco firewalls connection table Paul D. Robertson (Dec 14)
  - Re: Analyzing a Cisco firewalls connection table Carson Gaspar (Dec 14)
  - Re: Analyzing a Cisco firewalls connection table Tim Eberhard (Dec 15)