Configure Packet Capture for Azure Cloud Environment

You can integrate one of the following third-party solutions with the Network Decoder to capture packets in the Azure cloud environment.

Gigamon GigaVUE
Ixia CloudLens

Integrate Gigamon GigaVUE with the Network Decoder

You can access Gigamon Visibility Platform through the Azure Marketplace on the Azure portal. It is activated by a BYOL license. A thirty-day free trial is also available. For more information on the Gigamon solution, see GigaVUE Cloud Suite for Azure.

For more information regarding GigaVUE Deployment, see https://docs.gigamon.com/doclib515/Content/GV-Cloud-Azure/preface-Azure.html?tocpath=GigaVUE%20Cloud%20Suites%7CAzure%7C_____0.

You will see the traffic incoming on NW Decoder Host once the Monitoring Session is deployed within the Gigamon GigaVUE-FM with Decoder receiver NIC as tunnel.

Integrate Ixia with the Network Decoder

Keysight Ixia CloudLens SaaS is a Network Visibility platform. For more information on the CloudLens solution, see https://www.keysight.com/in/en/products/network-visibility/cloud-visibility/cloudlens/cloudlens-saas.html.

You must complete the following tasks to integrate the Network Decoder with Ixia CloudLens.

Task 1. Deploy Client Machines

Task 2. Create CloudLens Project

Task 3. Install Docker Container on Decoder

Task 4. Install Docker Container on Clients

Task 5. Map Network Decoder to Ixia Clients

Task 6. Validate CloudLens Packets Arriving at Decoder

Task 7. Set the Interface in the Network Decoder

Task 1. Deploy Client Machines

Deploy client machines from which you want to route the traffic to the Network Decoder. See the Ixia CloudLens documentation (https:<CloudLensManager_IP>/cloudlens/docs/Default.htm) for specifications needed for supported client machines.

<CloudLensManager_IP> is the respective CloudLens Manager instance.

Modify the VM's network security group to allow incoming traffic on following ports:
- TCP: 22 (SSH): Connection to the instance / VM.
- IP Protocol: 47 (GRE): Required by CloudLens Sensor Tap to send the tapped traffic to the Sensor Tool.
- UDP Protocol: 19993 (Encrypted Tunnel) – Required by CloudLens Sensor Tap to send the tapped traffic to the Sensor Tool.
For more information, see https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg.

Task 2. Create CloudLens Project

Login to Ixia Cloudlens Manager and go to the Configure Page.
Click + (add) to create a new project.
In the CREATE NEW PROJECT view,
- Enter the Project Name
  
  For Example: Netwitness-Ixia.
- Enter the Project Description
  
  For Example: Netwitness Ixia Integration.
Click OK.
Click SHOW PROJECT KEY to get the API Key for the project.

The key is required to configure the Host and Tool agents.

Task 3. Install Docker Container on Decoder

SSH to Network Decoder.
Setup the docker. For more information on how to setup the docker, see https://docs.docker.com/engine/install/centos/.

Run the following commands to setup Docker insecure-registry parameter and pull the sensor image from CloudLens:

echo "{\"insecure-registries\":[\"<CloudLens_IP_here>\"]}" | sudo tee /etc/docker/daemon.json

sudo systemctl enable docker.service

sudo service docker restart

Pull the CloudLens agent docker image. Run the following command:
```
sudo docker pull <CloudLens_IP_here>/sensor
```

Start the CloudLens agent with ProjectKeyFromIxiaProjectPortal retrieved from Task 2. Create CloudLens Project and CloudLens Manager IP. Run the following command:

sudo docker run -v /lib/modules:/lib/modules -v /var/log:/var/log/cloudlens -v /:/host -v /var/run/docker.sock:/var/run/docker.sock --cap-add SYS_MODULE --cap-add SYS_RESOURCE --cap-add NET_RAW --cap-add NET_ADMIN --name cloudlens-agent -d --restart=on-failure --net=host --log-opt max-size=50m --log-opt max-file=3 <CloudLens_IP_here>/sensor --accept_eula yes --project_key ProjectKeyFromIxiaProjectPortal --server <CloudLens_IP_here> --ssl_verify no

Task 4. Install Docker Container on Clients

SSH to Azure VM with root privileges.
Setup the docker for the OS / Distributions. For more information, see https://docs.docker.com/engine/install/.

Run the following commands to setup Docker insecure-registry parameter and pull the sensor image from CloudLens:

echo "{\"insecure-registries\":[\"<CloudLens_IP_here>\"]}" | sudo tee /etc/docker/daemon.json

sudo systemctl enable docker.service

sudo service docker restart

Pull the CloudLens agent docker image. Run the following command.
```
sudo docker pull <CloudLens_IP_here>/sensor
```

Start the CloudLens agent with ProjectKeyFromIxiaProjectPortal retrieved from Task 2. Create CloudLens Project and CloudLens Manager IP. Run the following command.

sudo docker run -v /lib/modules:/lib/modules -v /var/log:/var/log/cloudlens -v /:/host -v /var/run/docker.sock:/var/run/docker.sock --cap-add SYS_MODULE --cap-add SYS_RESOURCE --cap-add NET_RAW --cap-add NET_ADMIN --name cloudlens-agent -d --restart=on-failure --net=host --log-opt max-size=50m --log-opt max-file=3 <CloudLens_IP_here>/sensor --accept_eula yes --project_key ProjectKeyFromIxiaProjectPortal --server <CloudLens_IP_here> --ssl_verify no

Task 5. Map Network Decoder to Ixia Clients

Map the Network Decoder to the client machines to route the traffic to the Network Decoder. Do the following:

Go to the CloudLens Manager UI.
Click on your project and open it.
Click Define Group or the Instances count.

You should see two instances listed, one for your decoder and the other for the client machines.
Apply filter for the decoder instance and click Save Search.
Select Save as a tool.
Specify a name for the tool and the Aggregation Interface.

Use a meaningful name for the Aggregation Interface (for example cloudlens0. This is a virtual interface that appears in the OS where your Tool is installed. You need to instruct your tool to ‘listen’ to that interface in a subsequent step.
Apply filter for the client host instance from the list and click Save Search.
Navigate back to the top-level view of the project.

Your client machine instance and Decoder instance are now displayed.
Drag a connection between the client machine instance and Decoder instance to allow the flow of packets.

Task 6. Validate CloudLens Packets Arriving at Decoder

Complete the following steps to validate that the packets are actually arriving at the Network Decoder.

SSH to the Network Decoder.
Run the following command.

ifconfig

The new aggregation interface you created is displayed.
Generate traffic from the client OS instance CLI (for example: wget http://www.google.com/).
SSH to the Network Decoder and go to your Network Decoder instance CLI.
Run the following command to look for suitable results in the tcpdump.

tcpdump -I Cloudlens0

Task 7. Set the Interface in the Network Decoder

Complete the following steps in the Network Decoder to set the interface for the Ixia integration.

SSH to the Network Decoder.
Run the following command to restart the decoder service:

$ sudo restart nwdecoder

The Network Decoder is now set to capture the network traffic.
Log in to NetWitness and click (Admin)> Services.
Select a Decoder service and click > View > Explore.
Expand the decoder node and click config to view the configuration settings.
Set the capture.selected parameter to the following value.
packet_mmap_,cloudlens0(bpf)
Restart the Decoder service after you set the capture.selected parameter.

NetWitness Community

Table of Contents

Product Resources