Beruflich Dokumente
Kultur Dokumente
Issues
The purpose of the following article is to advise network infrastructure teams on how to resolve deployment
issues in their networks. While FireEye Support is unable to resolve customer networking issues, we do offer
professional services that can assist you.
Background
FireEye's appliances are implemented into an immense variety of corporate networks with unique policies,
rules and needs. Regardless of the deployment, it is critical to place FireEye appliances correctly in the
network to protect the environment.
If you suspect there is a problem with the traffic the NX Series appliance is receiving, we suggest you follow the
troubleshooting steps below:
From the CLI, confirm that web analysis statistics are increasing over time.
1
Troubleshooting Guide: Network Deployment Issues
2
Troubleshooting Guide: Network Deployment Issues
Run a deployment check and analyze the output with the network protocol analyzer tool of your choice.
3
Troubleshooting Guide: Network Deployment Issues
4
Troubleshooting Guide: Network Deployment Issues
To combine these into a single filter that displays all packets matching any of the selected criteria, use:
tcp.analysis.retransmission||tcp.analysis.ack_lost_segment||tcp.analysis.lost_segment||
tcp.analysis.duplicate_ack||tcp.analysis.out_of_order
Any item marked in red and black by Wireshark indicates an issue and should be researched further.
The following tshark command generates comma-separated output which lists source IP, destination IP and
Wireshark note/comment. This command uses exactly the same display filters listed above. If you want just
some of the types, for example only the duplicate acknowledgements type, use just that display filter.
tshark -n -r <pcap_file_name> -T fields -E header=y -E separator=',' -e ip.src -e eth.src -
e ip.dst -e eth.dst -e _ws.col.Info -e tcp.stream -e vlan.id -Y "tcp.analysis.retransmission||
tcp.analysis.ack_lost_segment||tcp.analysis.lost_segment||tcp.analysis.duplicate_ack||
tcp.analysis.out_of_order" > <analysis_output_file_name>
The output can be directly analyzed using grep or awk or redirected (dumped) to a file for analysis in any
spreadsheet program of your choice (i.e. MS Excel).
awk -F "," '{print$2}' < <analysis_output_file_name> | sort | uniq -c | sort -rn | head -20
This analysis will give you a better understanding of your network traffic and a general overview of what really
needs to be improved in your infrastructure not to miss a single package of information.
If you don't have the resources, expertise or time to carry out this analysis, FireEye offers proffesional service
engagement. Please contact your local Account Manager for more details.