Posted by A nice new feature that shipped with NSX 4.1.2 is the ability to download packet capture files (PCAPs) containing packets that were detected or prevented by NSX IDS/IPS.
This enables teams to store and investigate network data related to intrusion attempts, outside of NSX and in a common format whenever that is required.
Packet Capture Feature
The feature itself is enabled within an NSX IDS/IPS Profile which are found under Security > IDS/IPS & Malware Prevention > Profiles. Up until now IDS/IPS profiles were used to group signatures, which are then applied to selected applications, but now they also contain a section where packet capture is managed. This is interesting as it gives us the flexibility to enable packet capture on a per application level.
Besides the On/Off switch we can adjust the size of the PCAP files and define the total packets to be captured.
API
Of course we can leverage the NSX REST API to configure the packet capture feature as well. For this you would do a:
PATCH policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/{profile-id}
The request body that goes along with this PATCH request contains the necessary configuration (check the NSX REST API documentation for more information on this). Specifically for the packet capture feature a new type “IdsPcapConfig” has been added:
PCAP Files
Enabling and configuring this feature is very straight forward and once it’s done, each time a network traffic pattern matches an NSX IDS/IPS signature (i.e. detection/prevention is triggered), the relevant packets are captured and available for export and download. Again, the scope being defined by where the IDS/IPS profile is applied.
Let’s begin with a look under Security > IDS/IPS > Monitoring in the NSX Manager UI. As we see there have been some intrusion attempts:
Next, if we click on Packet Capture Query the same intrusion events are displayed but this time in a table format:
From this interface we are able to perform some pretty good filtering on things like Attacker IP/Port, Target IP/Port, Signature ID, PCAP ID. Clicking on an Event ID link we also instantly get to see more information about a specific intrusion attempt:
And now. To get hold of the relevant PCAP-file(s) we first select one or multiple events (rows in the table) and click on Export Packet Capture Data. Data is now exported to PCAP files that can then be downloaded from the NSX UI:
Note that the PCAPs are packed in a compressed tarball (tar.gz). Once downloaded and unpacked we can see our PCAP file:
Which can then be opened and inspected with a tool like Wireshark:
Pretty cool!
API?
Yes, we can do all of this (except for opening the PCAP file in Wireshark) using the NSX REST API as well. Two API calls are required where the first one is requesting the PCAP file(s) export:
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/pcaps/export
The second call performs the actual download of the exported PCAP files:
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/pcaps/{file-name}/download
For details and examples on these calls check the NSX REST API documentation
Thanks for reading!
rutgerblom.com 