共用方式為

驗證埠鏡像

  • 發行項

適用於:Advanced Threat Analytics 1.9 版

注意事項

本文只有在您部署 ATA 閘道而非 ATA 輕量型閘道時才相關。 若要判斷您是否需要使用 ATA 閘道,請參閱 選擇適合您部署的閘道

下列步驟會逐步引導您完成驗證埠鏡像是否已正確設定的程式。 若要讓 ATA 正常運作,ATA 閘道必須能夠查看域控制器的來回流量。 ATA 使用的主要數據源是深入的封包檢查您域控制器的網路流量。 若要讓 ATA 查看網路流量,必須設定埠鏡像。 埠鏡像會將流量從來源埠) (一個埠複製到目的地埠) (另一個埠。

使用 Windows PowerShell 腳本驗證埠鏡像

  1. 將此腳本的文字儲存到名為 ATAdiag.ps1的檔案中。
  2. 在您要驗證的 ATA 閘道上執行此文稿。 腳本會產生從 ATA 閘道到域控制器的 ICMP 流量,並在域控制器的擷取 NIC 上尋找該流量。 如果 ATA 閘道看到目的地 IP 位址與您在 ATA 控制台中輸入的 DC IP 位址相同的 ICMP 流量,則會認為已設定埠鏡像。

如何執行文稿的範例:

# ATAdiag.ps1 -CaptureIP n.n.n.n -DCIP n.n.n.n -TestCount n
param([parameter(Mandatory=$true)][string]$CaptureIP, [parameter(Mandatory=$true)][string]$DCIP, [int]$PingCount = 10)

# Set variables
$ErrorActionPreference = "stop"
$starttime = get-date
$byteIn = new-object byte[] 4
$byteOut = new-object byte[] 4
$byteData = new-object byte[] 4096  # size of data

$byteIn[0] = 1  # for promiscuous mode
$byteIn[1-3] = 0
$byteOut[0-3] = 0

# Convert network data to host format
function NetworkToHostUInt16 ($value)
{
    [Array]::Reverse($value)
    [BitConverter]::ToUInt16($value,0)
}
function NetworkToHostUInt32 ($value)
{
    [Array]::Reverse($value)
    [BitConverter]::ToUInt32($value,0)
}
function ByteToString ($value)
{
    $AsciiEncoding = new-object system.text.asciiencoding
    $AsciiEncoding.GetString($value)
}

Write-Host "Testing Port Mirroring..." -ForegroundColor Yellow
Write-Host ""
Write-Host "Here is a summary of the connection we will test." -ForegroundColor Yellow

# Initialize a first ping connection
Test-Connection -Count 1 -ComputerName $DCIP -ea SilentlyContinue
Write-Host ""
Write-Host "Press any key to continue..." -ForegroundColor Red
[void][System.Console]::ReadKey($true)
Write-Host ""
Write-Host "Sending ICMP and Capturing data..." -ForegroundColor Yellow

# Open a socket
$socket = new-object system.net.sockets.socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::IP)

# Include the IP header
$socket.setsocketoption("IP","HeaderIncluded",$true)
$socket.ReceiveBufferSize = 10000
$ipendpoint = new-object system.net.ipendpoint([net.ipaddress]"$CaptureIP",0)
$socket.bind($ipendpoint)

# Enable promiscuous mode
[void]$socket.iocontrol([net.sockets.iocontrolcode]::ReceiveAll,$byteIn,$byteOut)

# Initialize test variables
$tests = 0
$TestResult = "Noise"
$OneSuccess = 0

while ($tests -le $PingCount)
{
    if (!$socket.Available)  # see if any packets are in the queue
    {
        start-sleep -milliseconds 500
        continue
    }

    # Capture traffic
    $rcv = $socket.receive($byteData,0,$byteData.length,[net.sockets.socketflags]::None)

    # Decode the header so we can read ICMP
    $MemoryStream = new-object System.IO.MemoryStream($byteData,0,$rcv)
    $BinaryReader = new-object System.IO.BinaryReader($MemoryStream)

    # Set IP version & header length
    $VersionAndHeaderLength = $BinaryReader.ReadByte()

    # TOS
    $TypeOfService= $BinaryReader.ReadByte()

    # More values, and the Protocol Number for ICMP traffic
    # Convert network format of big-endian to host format of little-endian
    $TotalLength = NetworkToHostUInt16 $BinaryReader.ReadBytes(2)
    $Identification = NetworkToHostUInt16 $BinaryReader.ReadBytes(2)
    $FlagsAndOffset = NetworkToHostUInt16 $BinaryReader.ReadBytes(2)
    $TTL = $BinaryReader.ReadByte()
    $ProtocolNumber = $BinaryReader.ReadByte()
    $Checksum = [Net.IPAddress]::NetworkToHostOrder($BinaryReader.ReadInt16())

    # The source and destination IP addresses
    $SourceIPAddress = $BinaryReader.ReadUInt32()
    $DestinationIPAddress = $BinaryReader.ReadUInt32()

    # The source and destimation ports
    $sourcePort = [uint16]0
    $destPort = [uint16]0

    # Close the stream reader
    $BinaryReader.Close()
    $memorystream.Close()

    # Cast DCIP into an IPaddress type
    $DCIPP = [ipaddress] $DCIP
    $DestinationIPAddressP = [ipaddress] $DestinationIPAddress

    #Ping the DC at the end after starting the capture
    Test-Connection -Count 1 -ComputerName $DCIP -ea SilentlyContinue | Out-Null

    # This is the match logic - check to see if Destination IP from the Ping sent matches the DCIP entered by in the ATA Console
    # The only way the ATA Gateway should see a destination of the DC is if Port Spanning is configured

    if ($DestinationIPAddressP -eq $DCIPP)  # is the destination IP eq to the DC IP?
    {
        $TestResult = "Port Spanning success!"
        $OneSuccess = 1
    } else {
        $TestResult = "Noise"
    }

    # Put source, destination, test result in Powershell object
    new-object psobject | add-member -pass noteproperty CaptureSource $([system.net.ipaddress]$SourceIPAddress) | add-member -pass noteproperty CaptureDestination $([system.net.ipaddress]$DestinationIPAddress) | Add-Member -pass NoteProperty Result $TestResult | Format-List | Out-Host
    #Count tests
    $tests ++
}

if ($OneSuccess -eq 1)
{
    Write-Host "Port Spanning Success!" -ForegroundColor Green
    Write-Host ""
    Write-Host "At least one packet which was addressed to the DC, was picked up by the Gateway." -ForegroundColor Yellow
    Write-Host "A little noise is OK, but if you don't see a majority of successes, you might want to re-run." -ForegroundColor Yellow
} else {
    Write-Host "No joy, all noise.  You may want to re-run, increase the number of Ping Counts, or check your config." -ForegroundColor Red
}

Write-Host ""
Write-Host "Press any key to continue..." -ForegroundColor Red
[void][System.Console]::ReadKey($true)

使用 Net Mon 驗證埠鏡像

  1. 在您要驗證的 ATA 閘道安裝 Microsoft網路監視器 3.4

    重要事項

    請勿在 ATA 閘道上安裝Microsoft訊息分析器或任何其他流量擷取軟體。

  2. 開啟 [網络監視器] 並建立新的擷取索引標籤。

    1. 只選取擷 網路適配器或連線到設定為埠鏡像目的地之交換器埠的網路適配器。

    2. 確定已啟用 P 模式。

    3. 按兩下 [新增擷取]

      [Microsoft網络監視器] 對話框的螢幕快照,其中顯示 [新增擷取] 按鈕。

  3. 在 [顯示篩選] 視窗中,輸入下列篩選條件: KerberosV5 或 LDAP ,然後按兩下 [ 套用]

    [Microsoft網络監視器] 對話框的螢幕快照,其中顯示 [顯示篩選] 區域。

  4. 按兩下 [開始 ] 以啟動擷取工作階段。 如果您沒有看到連入域控制器的流量,請檢閱您的埠鏡像設定。

    [Microsoft網络監視器] 對話框的螢幕快照,其中顯示 [開始] 按鈕。

    注意事項

    請務必確定您看到域控制器的來回流量。

  5. 如果您只看到單向流量,您應該與網路或虛擬化小組合作,協助針對您的埠鏡像設定進行疑難解答。

另請參閱