Valider la mise en miroir des portsValidate Port Mirroring

S’applique à : Advanced Threat Analytics version 1.9Applies to: Advanced Threat Analytics version 1.9

Notes

Cet article ne vous concerne que si vous déployez des passerelles ATA au lieu de passerelles légères ATA.This article is relevant only if you deploy ATA Gateways instead of ATA Lightweight Gateways. Pour déterminer si vous devez utiliser des passerelles ATA, consultez Choix des passerelles appropriées pour votre déploiement.To determine if you need to use ATA Gateways, see Choosing the right gateways for your deployment.

Les étapes suivantes sont conçues pour vous guider dans le processus de validation de la mise en miroir des ports.The following steps walk you through the process for validating that port mirroring is properly configured. Pour qu’ATA fonctionne correctement, la passerelle ATA doit pouvoir voir le trafic entrant et sortant du contrôleur de domaine.For ATA to work properly, the ATA Gateway must be able to see the traffic to and from the domain controller. La principale source de données utilisée par ATA est l’inspection approfondie des paquets du trafic réseau entrant et sortant de vos contrôleurs de domaine.The main data source used by ATA is deep packet inspection of the network traffic to and from your domain controllers. Pour qu’ATA puisse voir le trafic réseau, vous devez configurer la mise en miroir des ports.For ATA to see the network traffic, port mirroring needs to be configured. La mise en miroir des ports copie le trafic d’un port (le port source) vers un autre port (le port de destination).Port mirroring copies the traffic from one port (the source port) to another port (the destination port).

Valider la mise en miroir de port à l’aide d’un script Windows PowerShellValidate port mirroring using a Windows PowerShell script

  1. Enregistrez le texte de ce script dans un fichier nommé ATAdiag.ps1.Save the text of this script into a file called ATAdiag.ps1.
  2. Exécutez ce script sur la passerelle ATA que vous souhaitez valider.Run this script on the ATA Gateway that you want to validate. Le script génère un trafic ICMP depuis la passerelle ATA vers le contrôleur de domaine et recherche ce trafic sur la carte de capture réseau sur le contrôleur de domaine.The script generates ICMP traffic from the ATA Gateway to the domain controller and looks for that traffic on the Capture NIC on the domain controller. Si la passerelle ATA constate que le trafic ICMP a comme adresse IP de destination l’adresse IP du contrôleur de domaine que vous avez entrée dans la console ATA, elle considère que la mise en miroir de port est configurée.If the ATA Gateway sees ICMP traffic with a destination IP address the same as the DC IP addressed you entered in the ATA Console, it deems port mirroring configured.

Exemple d’exécution du script :Sample for how to run the script:

# ATAdiag.ps1 -CaptureIP n.n.n.n -DCIP n.n.n.n -TestCount n

param([parameter(Mandatory=$true)][string]$CaptureIP, [parameter(Mandatory=$true)][string]$DCIP, [int]$PingCount = 10)

# Set variables

    $ErrorActionPreference = "stop"
$starttime = get-date
$byteIn = new-object byte[] 4
$byteOut = new-object byte[] 4
$byteData = new-object byte[] 4096  # size of data

$byteIn[0] = 1  # for promiscuous mode
$byteIn[1-3] = 0
$byteOut[0-3] = 0



# Convert network data to host format
    function NetworkToHostUInt16 ($value)
    {
    [Array]::Reverse($value)
    [BitConverter]::ToUInt16($value,0)
    }

function NetworkToHostUInt32 ($value)
    {
    [Array]::Reverse($value)
    [BitConverter]::ToUInt32($value,0)
    }

function ByteToString ($value)
    {
    $AsciiEncoding = new-object system.text.asciiencoding
    $AsciiEncoding.GetString($value)
        }

Write-Host "Testing Port Mirroring..." -ForegroundColor Yellow
Write-Host ""
Write-Host "Here is a summary of the connection we will test." -ForegroundColor Yellow

# Initialize a first ping connection
Test-Connection -Count 1 -ComputerName $DCIP -ea SilentlyContinue
Write-Host ""

Write-Host "Press any key to continue..." -ForegroundColor Red
[void][System.Console]::ReadKey($true)
Write-Host ""
Write-Host "Sending ICMP and Capturing data..." -ForegroundColor Yellow

# Open a socket

$socket = new-object system.net.sockets.socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::IP)

# Include the IP header
$socket.setsocketoption("IP","HeaderIncluded",$true)

$socket.ReceiveBufferSize = 10000

$ipendpoint = new-object system.net.ipendpoint([net.ipaddress]"$CaptureIP",0)
$socket.bind($ipendpoint)

# Enable promiscuous mode
[void]$socket.iocontrol([net.sockets.iocontrolcode]::ReceiveAll,$byteIn,$byteOut)

# Initialize test variables
$tests = 0
$TestResult = "Noise"
$OneSuccess = 0

while ($tests -le $PingCount)
    {
    if (!$socket.Available)  # see if any packets are in the queue
        {
        start-sleep -milliseconds 500
        continue
        }

# Capture traffic
    $rcv = $socket.receive($byteData,0,$byteData.length,[net.sockets.socketflags]::None)

# Decode the header so we can read ICMP

    $MemoryStream = new-object System.IO.MemoryStream($byteData,0,$rcv)
    $BinaryReader = new-object System.IO.BinaryReader($MemoryStream)

# Set IP version & header length
    $VersionAndHeaderLength = $BinaryReader.ReadByte()

    # TOS
    $TypeOfService= $BinaryReader.ReadByte()

    # More values, and the Protocol Number for ICMP traffic
    # Convert network format of big-endian to host format of little-endian 
    $TotalLength = NetworkToHostUInt16 $BinaryReader.ReadBytes(2)

    $Identification = NetworkToHostUInt16 $BinaryReader.ReadBytes(2)
    $FlagsAndOffset = NetworkToHostUInt16 $BinaryReader.ReadBytes(2)
    $TTL = $BinaryReader.ReadByte()
    $ProtocolNumber = $BinaryReader.ReadByte()
    $Checksum = [Net.IPAddress]::NetworkToHostOrder($BinaryReader.ReadInt16())

    # The source and destination IP addresses
    $SourceIPAddress = $BinaryReader.ReadUInt32()
    $DestinationIPAddress = $BinaryReader.ReadUInt32()

    # The source and destimation ports
    $sourcePort = [uint16]0
    $destPort = [uint16]0
        
    # Close the stream reader
    $BinaryReader.Close()
    $memorystream.Close()

    # Cast DCIP into an IPaddress type
    $DCIPP = [ipaddress] $DCIP
    $DestinationIPAddressP = [ipaddress] $DestinationIPAddress

    #Ping the DC at the end after starting the capture
    Test-Connection -Count 1 -ComputerName $DCIP -ea SilentlyContinue | Out-Null
        
    # This is the match logic - check to see if Destination IP from the Ping sent matches the DCIP entered by in the ATA Console  
    # The only way the ATA Gateway should see a destination of the DC is if Port Spanning is configured
    
        if ($DestinationIPAddressP -eq $DCIPP)  # is the destination IP eq to the DC IP? 
        {
        $TestResult = "Port Spanning success!"
        $OneSuccess = 1
        } else {
            $TestResult = "Noise"
        }
    
    # Put source, destination, test result in Powershell object
    
    new-object psobject | add-member -pass noteproperty CaptureSource $([system.net.ipaddress]$SourceIPAddress) | add-member -pass noteproperty CaptureDestination $([system.net.ipaddress]$DestinationIPAddress) | Add-Member -pass NoteProperty Result $TestResult | Format-List | Out-Host
    #Count tests
    $tests ++
    }

    If ($OneSuccess -eq 1){
        Write-Host "Port Spanning Success!" -ForegroundColor Green
        Write-Host ""
        Write-Host "At least one packet which was addressed to the DC, was picked up by the Gateway." -ForegroundColor Yellow
        Write-Host "A little noise is OK, but if you don't see a majority of successes, you might want to re-run." -ForegroundColor Yellow
    } Else {
        Write-Host "No joy, all noise.  You may want to re-run, increase the number of Ping Counts, or check your config." -ForegroundColor Red
    }

Write-Host ""
Write-Host "Press any key to continue..." -ForegroundColor Red
[void][System.Console]::ReadKey($true)

Valider la mise en miroir à l’aide du Moniteur réseauValidate port mirroring using Net Mon

  1. Installez Microsoft Network Monitor 3.4 sur la passerelle ATA que vous souhaitez valider.Install Microsoft Network Monitor 3.4 on the ATA Gateway that you want to validate.

    Important

    N’installez pas l’analyseur de message Microsoft ou tout autre logiciel de capture du trafic sur la passerelle ATA.Do not install Microsoft Message Analyzer, or any other traffic capture software on the ATA Gateway.

  2. Ouvrez le Moniteur réseau et créez un nouvel onglet de capture.Open Network Monitor and create a new capture tab.

    1. Sélectionnez uniquement la carte réseau Capture ou celle qui est connectée au port de commutateur qui est configuré comme le port de destination de la mise en miroir.Select only the Capture network adapter or the network adapter that is connected to the switch port that is configured as the port mirroring destination.

    2. Assurez-vous que le mode P est activé.Ensure that P-Mode is enabled.

    3. Cliquez sur Nouvelle capture.Click New Capture.

      Image de la création d’un nouvel onglet de capture

  3. Dans la fenêtre Filtre d’affichage, entrez le filtre KerberosV5 OR LDAP, puis cliquez sur Appliquer.In the Display Filter window, enter the following filter: KerberosV5 OR LDAP and then click Apply.

    Image de l’application du filtre KerberosV5 or LDAP

  4. Pour démarrer la session de capture, cliquez sur Démarrer.Click Start to start the capture session. Si vous ne voyez pas le trafic entrant et sortant du contrôleur de domaine, examinez la configuration de mise en miroir des ports.If you do not see traffic to and from the domain controller, review your port mirroring configuration.

    Image du démarrage de la session de capture

    Notes

    Il est important de vous assurer que vous voyez le trafic entrant et sortant des contrôleurs de domaine.It is important to make sure you see traffic to and from the domain controllers.

  5. Si vous voyez uniquement le trafic dans un sens, vous devez résoudre ce problème de configuration de la mise en miroir des ports avec l’aide de l’équipe chargée du réseau ou de la virtualisation.If you only see traffic in one direction, you should work with your networking or virtualization teams to help troubleshoot your port mirroring configuration.

Voir aussiSee Also