Home

fmadiocli

fmadiocli is a command line interface using a switch style interface to operate FMADIO Packet Capture devices.

Brief help description is provided using ? command

[Wed Apr 27 07:18:20 2022] ?                                                                                : Command Line Help Info
[Wed Apr 27 07:18:20 2022] config                                                                           : enter configuration mode
[Wed Apr 27 07:18:20 2022] config analytics schedule del <schedule row name>                                : Deletes a analtyics scheduler row
[Wed Apr 27 07:18:20 2022] config analytics schedule mod <schedule row name>                                : configures the analytics scheduler
[Wed Apr 27 07:18:20 2022] config analytics schedule new                                                    : Creates a new analytics scheduler new
[Wed Apr 27 07:18:20 2022] config capture schedule del <schedule row name>                                  : Deletes a capture scheduler row
[Wed Apr 27 07:18:20 2022] config capture schedule mod <schedule row name>                                  : configures the capture scheduler
[Wed Apr 27 07:18:20 2022] config capture schedule new                                                      : Creates a new capture scheduler row
[Wed Apr 27 07:18:20 2022] config capture start <capture name>                                              : Starts a capture
[Wed Apr 27 07:18:20 2022] config capture stop                                                              : Stops a capture
[Wed Apr 27 07:18:20 2022] config interface dns <interface name> <dns>                                      : sets the interfaces dns
[Wed Apr 27 07:18:20 2022] config interface gateway <interface name> <gateway>                              : sets the interfaces gateway
[Wed Apr 27 07:18:20 2022] config interface ip <interface name> <ip address>                                : sets the interfaces IP address
[Wed Apr 27 07:18:20 2022] config interface mode <interface name> <disabled|static>                         : sets the interfaces IP mode static or disabled
[Wed Apr 27 07:18:20 2022] config interface netmask <interface name> <netmask>                              : sets the interfaces netmask
.
.
.

Verbose help description is provided using ??? command

Command History

Command history is stored in the file

It can be deleted to clear the history

Configure Interfaces

show interface status

FW: 7856+

Shows the current state of the interfaces

Example below shows port status on an FMADIO100Gv2 Analytics system

show interface ip

FW: 8336+

Shows the currently configured IP address information for the management and BMC/IPMI/Capture ports

Example below shows the status on an FMADIO20Gv3 system

show interface counter

Shows RMON1 counter information on each capture port.

Example below is FMADIO20Gv3 system output

Example below shows FMADIO100v2 in 8x10G port output

config interface shutdown

FW: 7856+ support for 100Gv2 2x100G 2x40G

This shuts down a specific capture interface as specified, usually this is cap0 or cap1 and depends on the SKU and Port configuration on which ports can be shutdown

config interface no shutdown

FW: 7856+ support for 100Gv2 2x100G 2x40G

Re-enables the specified capture interface from shutdown status. Depending on the link peer, the link peer might need to be bounced as it may be in a shutdown error state.

config interface fec

FW: 8224+ ( 2x100G only)

This forces FEC on the specific capture port. FEC Autoneg is disabled. This setting is persistent across reboots.

config interface no fec

FW: 8224+ ( 2x100G only)

This disables the forced FEC setting where the system will try autoneg if FEC is enabled or not. Setting is persistent across reboots.

config interface ip

Configures the IP address of the specified network port. Typically this is used for setting the management/BMC IP address of the system

Example below sets the man0 port to IP address 192.168.187.10. The exact output may vary between SKUs

Example below shows setting the IP address of the BMC/IPMI port

config interface netmask

Sets the netmask of the specified interface

config interface gateway

Sets the default gateway for the specified interface

Example below sets the man0 management interfaces default gateway address

config interface dns

Sets the DNS server for the specified interface

Example below sets the DNS server for man0 interface to be 1.1.1.1

Configure Capture

show capture status

Shows the current capture status

show capture schedule

Shows the current capture schedule

show capture list

Displays list of all captures on the system

show capture roll

FW: 8367+

Shows the current capture roll setting

show capture flush

FW: 8367+

Shows the current capture flushing behaviour

config capture start <name>

Starts a capture with the specified name

Use config capture status to verify the current state

config capture stop

Stops the currently active capture

NOTE: This will only stop captures manually started, for scheduled captures please disable the schedule entry to stop the capture

Use config capture status to verify the current state

config capture flush

FW: 8367+

Sets the capture flushing behavior.

Default setting is flush 1sec after capture is idle

Flush always every 1 second. NOTE: 1sec is very aggressive mode and will consume additional storage. However it does provide low latency when watching low bandwidth captures.

Flush when capture is idle for >= 1sec

config capture roll

FW: 8367+

Configures the capture rolling behavior. Default (0) is roll at midnight.

Example configures capture to roll every 1 hour.

Configure PCAP Download

show pcap timestamp

Shows the current PCAP timestamp mode. e.g. from the FMADIO FPGA or extract timing information from a packet broker

Example below shows the PCAP timestamp uses the Arista 7130 (Metamako) footer timestamp

config pcap timestamp <tsmode>

Configures the default PCAP timestamp mode when downloading PCAP data. this value can be overidden by URI option TSMode.

Supported Timestamp Modes

  • nic - FMADIO FPGA timestamp

  • arista7130 - Arista 7130 (Metamako) Footer

  • arista7150_overwrite - Arista 7150 Overwite FCS + Keyframes

  • arista7150_insert - Arista 7150 Insert 32bit + Keyframes

  • arista7280_mac48 - Arista 7280 Source MAC 48bit Overwrite

  • arista7280_eth64 - Arista 7280 Ethernet Insert 64bit

  • erspanv3 - Cisco ERSPANv3 Encapsulation

  • cisco3550 - Cisco 3550 (Exablaze) Footer

Help command

Example to set the default behavior to use Arista 7130 footer. It takes 60sec to restart the processes after the setting.

LXC Container Management

Following provides commands for configuration and managing LXC containers on the system

show lxc status

Shows the current LXC container status of the system

Example shows 2 containers "suricata" and "centos7"

Suricata is enabled to start at boot time.

config lxc add <lxc name>

Adds an already installed container to the configuration file

In the example below adding an already installed container named "ubuntu20" to the system

config lxc del <lxc name>

Removes the specified container from the configuration

NOTE it does not delete the container on disk. Only removes it from the configuration files

Example deletes the container "ubuntu20" from the configuration files

config lxc desc <lxc name> "<description>"

Adds a human description to the lxc to provide context

Example set a human readable description for the container "ubuntu20" this is visibile when using the show lxc command

config lxc boot <lxc name>

Sets the specified container to boot on startup

Example set the "ubuntu20" container to boot on system startup

config lxc no-boot <lxc name>

Sets the specified LXC container to not boot at startup

Example sets the LXC container "ubuntu20" to not boot on startup

config lxc start <lxc name>

Starts the specified container named <lxc name> if the container starts successfully system will return back to the prompt

Example starts the fshark2 container on the system

When a container fails to start the output will look similar to below.

config lxc stop <lxc name>

Stops the specified container from running

Example stops the fshark2 container running

config lxc list

TBD lists all available containers in the public repo

contact [email protected] for more info

config lxc install

TBD installs the specified container from the public repo

contact [email protected] for more info

config lxc uninstall

TBD removes the specified container from the configuration and disk

contact [email protected] for more info

Automatic Push PCAP

Configure and monitor the automatic push generation of PCAPs to storage locations.

show push pcap status

FW: 7963+

Shows the currently configured automatic push pcaps

config push pcap add <push target>

FW: 7963+

Creates a new push pcap target called <push target>

NOTE: all target names should be unique

config push pcap del <push target>

Deletes the current push pcap entry name <push target>

config push pcap name <push target> <new name>

Renames the specified <push target> entry with an updated one <new name>

config push pcap path <push target> <new write path>

Updates the push write path to the specified <new write path>. Typically this is the NFS remote path or rclone write path.

config push pcap split-time <push target> <value>

Configure PCAPs to be split by the specified time value. By default <value> is scientific notation in nanoseconds. In addition s (seconds) m (minutes) h (hours) suffix can be used also

Description

1e9

1 second in scientific notation

60s

60 seconds

1m

1 minute

1h

1 hour

Example configure to split every 1 minute

config push pcap split-size <push target> <value>

Configure PCAPs to be split by total byte size <value>

Description

1e9

1 Gigabyte specified in scientific notation

100M

100 Megbyte

5G

5 Gigabyte

Example below shows splitting on 1GB boundaries

config push pcap filename <push target> <value>

Specifies the filename format for each individual split PCAP

Value
Example
Description

epoch-sec

_1654610221.pcap

Second Epoch

epoch-sec-startend

_1654610221-1654620221.pcap

Epoch start and End

epoch-msec

_1654610221012.pcap

Epoch in msec

epoch-usec

_1654610221012345.pcap

Epoch is micro sec

epoch-nsec

_1654610221012345678.pcap

Epoch in Nano sec

HHMM

_20200101_1201.pcap

Hour Min

HHMMSS

_20200101_120159.pcap

Hour Min Sec

HHMMSS_TZ

2020-01-01_12:01:59+09:00.pcap

House Min Sec + Timezone

HHMMSS_NS

_20200101_120159.012345678.pcap

House Min Sec Nanos

Example uses a simple Hour Min Sec format

config push pcap filter-bpf <push target> "<bpf filter>"

Sets the specified push with a BPF filter.

NOTE: the BPF filter must be enclosed in double quotes

Example sets for udp and port 1900

config push pcap restart

Shutsdown the current push procesess and restarts them

Example output

Automatic Push to LXC (Container)

The system can push automatically into a lxc_ring enabling a container to consume the data. These functions are to add/delete/modify these push functions.

NOTE this requires the push_lxc analytics script to be running

show push lxc

Shows the current push lxc targets configured on the system

Example shown below, indicates a single suricata ring is enabled with a BPF filter to remove all traffic from subnet 192.168.100.0/24

config push lxc add <ring name>

This adds a new LXC push to the ring named <ring name>.

By default the push is disabled when created.

Example below shows adding a push to the ring named "general"

NOTE this does not create the ring, it only creates the push to the specified ring

config push lxc del <ring name>

Removes the specified LXC push target

Example removes the push lxc target named "general"

config push lxc enable <ring name>

Enables the specified lxc ring push target. By default when adding a new target the state is disabled.

Example enables the push lxc ring target named "general"

config push lxc disable <ring name>

Disables the specified lxc push <ring name>

Example disables the lxc ring named "general"

config push lxc filter-bpf <ring name> "<filter bpf>"

Adds the specified BPF filter to the LXC push to the ring.

NOTE The filter must be enclosed in double quotes ""

Example adds a subnet "192.168.0.0/24" filter to the ring named "general"

config push lxc filter-frame <ring name> "<filter bpf>"

Adds the specified frame filter to the lxc push to the ring.

NOTE the filter must be enclosed in double quotes ""

Example add a Frame filter of capture port 0 only to the ring named "general"

config push lxc from-now <ring name>

Sets the push to start from the current capture position into the lxc ring.

This is the default behaviour

Example sets the ring "general" to push data into the ring from now.

config push lxc from-start <ring name>

Sets the push to start from the beginning of the capture.

Example sets the ring "general" to start from the begnining of the capture

config push lxc restart

This shutsdown and then restarts the push lxc processes.

Example output

Ring management

Various functions for monitoring the ring status both push pcap and push lxc

show ring status

Shows all rings status information

Example, this can be helpful for monitoring data is being produced and consumed correctly.

Time

Various functions for configuration and monitoring time

show timezone

Shows the current timezone the system is configured

Example showing the current timezone

config timezone "<city>"

Configures the timezone by searching the timezone list for the location named "<city>"

System uses the first found match

For cities with spaces in the name, ensure to use double quotes around the city name

Example set the timezone to New York

NOTE change only takes effect on next reboot

User Management

FW: 8336+

FMADIO Web GUI supports multiple users with 2 levels of access

Permission
Description

full

Provides full admin level access to all functions

user

User level only, no ability to modify config and start/stop captures

Using fmadiocli to setup and configure is shown below

show userlist

This shows the currently configured list of users on the system

Example output, it shows 2 users fmadio (full access), bob (user access)

config userlist add

Adds a new user with default permissions and no password

Example adds the username "bob" to the system

config userlist del

Deletes the specified username

Example below deletes the username "bob"

config userlist password

Sets the WEB user password. This has no effect on SSH access to the system

Example below sets the web password for user "bob"

config userlist permission

Sets the userlevel permission for the specified username

Level types are 2

  • full - provides full unrestricted GUI access

  • user - provides download and analysis only access (no configuration or capture state change)

Example below shows setting the username "bob" to be a "user" level (e.g. can not change system configuration or capture states)

Example below shows setting username "bob" to be a full access user (e.g. can change any configuration using the GUI)

Security Management

Various commands to set and modify the security settings of the system

show security

Shows the current security settings

config security auth

This sets the authentication method of the system. Number of options as follows

  • BASIC - this is basic authencation, low security level

  • OAUTH - OAUTH 2.0 includding Active Directory, Google, Ping Identity

  • RADIUS - Use Radius based authentication

  • PAM-LDAP - Use the linux PAM system with an LDAP authentication mode

Example to set PAM-LDAP as follows

Output as follows

For some authentication methods it requires a system reboot. In this case a reboot is required as the system needs to start LDAP client daemons.

config security http

This enables/disables HTTP as a mode of access to the device. HTTP is plain clear text transport protocol, meaning all private data such as username and password are sent in the clear.

For private and secure networks this is ok(ish) for most situations HTTP should be disabled, allowing only HTTPS as the mode of access.

To disable HTTP access (HTTPS only)

Example output

config security timeoutSSH

This sets the SSH idle timeout timeout value. Use "show security" to validate the value is correct.

Time units supported are

An example of setting a 30 sec idle timeout as follows

With the following output

NOTE: the system requires a reboot for the changes to take effect.

config security timeoutWWW

This sets the WWW session timeout value. This is the maximum session duration. Once the session duration is reached the web interface will require a re-login.

Time units supported are

An example setting a 1 hour maximum session timeout

Example output

NOTE: a the system requires a reboot for the changes to take effect.

Disk Management

Configuration and status information for disks and disk encryption

Stored disk password

NOTE: the default password is stored in

This may or maynot include whitespace charaters such as 0xa. Which may cause confusion about the password entered vs the saves on disk password.

When editing this file in VIM we recommend setting, to avoid any additional whitespace charaters in the pawwrod

show disk status

Shows the current disk status information

Example below shows a fully setup 100Gp3 system with PSID and Encryption enabled

config disk sanitize

Using TCG OPAL2 sedutils the system will factory reset the device using the PSID values, initialize the drives for encryption and set a default password.

When complete the drives data is encrypted with a default password to access a randomly generated AES256 encryption key.

When complete the drives are in the unlocked state. To enable locking use the config disk lock comand

Example shows a partial log of the 100G systems sanitize operation. Entire operation takes about 60 seconds

config disk password

Changes the password used for all encryption related disk operations.

Enter Old Password may be ENTER/NULL in which case the default password will be used

Enter Old Password can be read without keyboard input from the file /tmp/disk-password-old if the file exists

Enter New Password can be read without keyboard input from the file /tmp/disk-password if the file exists

Example of setting a new password from the default password

config disk lock

This sets the disks into the locked state requiring a password.

On any power cycle command (disks loose power) the disks will need to be unlocked using the config disk unlock command and a password

The password can be read without keyboard input from the file/tmp/disk-password if the file exists

Example locks all data disks

config disk no-lock

This removes the disk locking function of the drives.

Example below shows a disk no-lock operation

config disk unlock

Unlocks the drives using the specified password

The password can be read without keyboard input from the file /tmp/disk-password if the file exists

Example of unlocking

System Configuration

config system fpga firmware

This configures the systems FPGA firmware, currently support modes

  • capture-2x100G (2 x100G packet capture mode)

  • capture-2x40G (2x40G packet capture mode)

  • capture-8x10G (8x10G packet capture mode)

NOTE: this only sets up the system. Reboot is required to start the configuration change

Example:

Output

PreviousPCAP Flow GenerationNextstream_cat

Last updated

Was this helpful?