Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

API & Integration, DevOps,NetOps,SecOps

Reply

use wapi to create/download traffic captures on ha pair

Authority
Posts: 12
3158     0

i am trying to automate traffic captures from an ha pair, and thought i would do it via the wapi. i've done this on the cli with set_traffic_capture, for both the active and passive nodes.  i did find the perl script uploaded by jim mozley, which i'm using as a touchpoint while i do this via simple curl commands.  so i can get the member id via the member host_name object, which gives me access to the active node of the ha pair.  my question is, is there a way to use the wapi to run capture_traffic_control (and fileop to pull the file) on the passive node of an ha pair?  i looked at the read_token option, hoping that might do it, but i'm not sure that's what that is for (and it came back as an empty array when i tried it). i apologize if i've missed something obvious.

 

thanks!

 

curl examples with output...

 

$ curl -s --tlsv1 --insecure --user '<username>' 'https://<grid_master>/wapi/v2.7/member?host_name~=<host_name>&_return_fields=host_name'

[
{
"_ref": "member/<member_id_hash>:<host_name>",
"host_name": "<host_name>"
}
]

 

$ curl -s --tlsv1 --insecure --user '<username>' -X POST https://<grid_master>/wapi/v2.7/member/<member_id_hash>:<host_name>?_function=capture_traffic_status
Enter host password for user '<username>':
{
"file_exists": true,
"file_size": 972201826,
"status": "STOPPED"

}

 

$ curl -s --tlsv1 --insecure --user '<username>' -X POST 'https://<grid_master>/wapi/v2.7/member/<member_id_hash>:<host_name>?_function=read_token'
Enter host password for user '<username>':
{
"pnode_tokens": []

}

Re: use wapi to create/download traffic captures on ha pair

Authority
Posts: 12
3158     0

well, after two weeks of no responses on here to this question, i finally broke down and created a support ticket a few days ago.  i'll update here once i get a final verdict and/or more info from them.

Re: use wapi to create/download traffic captures on ha pair

Moderator
Moderator
Posts: 287
3158     0

First get the ref for the member, if you don't know it.

 

 

curl -k -u admin:infoblox -X GET 'https://192.168.1.2/wapi/v2.7/member?host_name=gm.example.net'
[ { "_ref": "member/m99x1234567890rx7Qw:gm.example.net", "config_addr_type": "BOTH", "host_name": "gm.example.net", "platform": "VNIOS", "service_type_configuration": "ALL_V4" } ]

 

 

returns:

 

 

[
    {
        "_ref": "member/m99x1234567890rx7Qw:gm.example.net",
        "config_addr_type": "BOTH",
        "host_name": "gm.example.net",
        "platform": "VNIOS",
        "service_type_configuration": "ALL_V4"
    }
]

 

 

 

This is the call to poll the capture status:

 

 

curl -k -u admin:infoblox -X POST 'https://192.168.1.2/wapi/v2.9/member/m99x1234567890rx7Qw:gm.example.net?_function=capture_traffic_status'

 

 

which returns:

 

{
    "file_exists": false,
    "file_size": 0,
    "status": "STOPPED"
} 

 

 

 

Here's the call to start the capture:

 

 

curl -k -u admin:infoblox -X POST 'https://192.168.1.2/wapi/v2.9/member/m99x1234567890rx7Qw:gm.example.net?_function=capture_traffic_control&action=START&interface=ALL'

 

 

 

Now I can poll the status to see it running:

 

 

curl -k -u admin:infoblox -X POST 'https://192.168.1.2/wapi/v2.9/member/m99x1234567890rx7Qw:gm.example.net?_function=capture_traffic_status'

{
    "file_exists": true,
    "file_size": 81920,
    "status": "RUNNING"
}

 

 

 

To download, the capture must be stopped.  Either stop it manually (as below) or wait for the timer to expire.

 

 

curl -k -u admin:infoblox -X POST 'https://192.168.1.2/wapi/v2.9/member/m99x1234567890rx7Qw:gm.example.net?_function=capture_traffic_control&action=STOP&interface=ALL'

 

 

 

Here's the call to generate the capture file.

 

 

curl -k -u admin:infoblox -X POST 'https://192.168.1.2/wapi/v2.9/fileop?_function=getmemberdata&member=gm.example.net&type=TRAFFIC_CAPTURE_FILE'

which returns a token and a URL.

 

{
    "token": "eJy9kTF...",
    "url": "https://192.168.1.2/http_direct_file_io/req_id-DOWNLOAD-12345/gm.example.net_0_2019-10-28-13-05-10_tcpdumpLog.tar.gz"
}

Download the file using the URL:

 

curl -k -u admin:infoblox -H "Content-type:application/force-download" -O 'https://192.168.1.2/http_direct_file_io/req_id-DOWNLOAD-12345/gm.richard.netwo_0_2019-10-28-13-05-10_tcpdumpLog.tar.gz'

And then close the generated file using the token:

 

curl -k1 -u admin:infoblox -X POST 'https://192.168.1.2/wapi/v2.9/fileop?_function=downloadcomplete' \
-H "Content-Type: application/json" -d \
'{
  "token": "eJy9kTF..."
}'

Re: use wapi to create/download traffic captures on ha pair

Authority
Posts: 12
3159     0

oops, i forgot to ever follow up on this, and just saw there was a response on here the next day.  sorry about the huge delay in my following up on this.

 

i appreciate the response and time, mrichard, but the member ref you get back is for the ha pair, not a specific member of the ha pair.  if you do a packet capture through the wapi using the ref, you will get a traffic capture of the active node, and the active node alone. there is no way to initiaite a packet capture on the passive node via the gui or the wapi, which is what i was wanting.  the only way to do it is to get on the cli of the passive node and initiate it from there.  this was verified by the ticket i created with infoblox support back at that time.

 

for anyone interested, they did say they would create an rfe for me.  on nov 9th 2019:

 

I have filed a new RFE as a "request for gathering the Passive Member's Traffic Capture using WAPI". For your reference the RFE number is 10189.

 

i will note that it is possible that there is no way to do this with the grid system as it is currently designed, since i'm not sure the grid master normally talks to the passive member of an ha pair.  it has a vpn tunnel to the active node, but only the active node and passive node have a vpn tunnel with each other - i don't believe the grid master talks directly to the passive node normally.  although they might be able to work around that, it seems like it might be more effort than it's worth.

 

as far as i know, nothing has come of the rfe.  so if you need to do a traffic capture on the passive node of an ha pair, and download the packet capture, prepare to do it all from the cli of the passive node itself.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You