NDR Sensor Command-Line Interface Reference
Copyright © 2025 Broadcom Inc. and/or its subsidiaries. All Rights Reserved.
EN-002526-00
NDR Sensor Command-Line Interface Reference
NDR Sensor 5.1.0
Table of Contents
About This Book
The NDR Sensor Command-Line Interface Reference describes how to use the NDR Sensor
Command-Line Interface (CLI) and includes examples and command overviews.
Intended Audience
The information in this guide is written
for experienced systems and network administrators who are familiar with virtual
machine technology and virtual datacenter operations.
Introduction to the NDR Sensor CLI
Each NDR Sensor virtual appliance contains a command-line interface (CLI).
The command syntax and output format of NDR Sensor commands are not guaranteed
to be the same from release to release.
Logging In and Out of the CLI
Before you can run CLI commands, you must connect to
an NDR Sensor virtual appliance. You can connect to the console or through
SSH.
If you did not enable SSH while installing the appliance, you can use the
set service ssh start-on-boot command to enable
the SSH service.
To log out, type exit.
NDR Sensor CLI Commands
Clear the security banner or message of the day. The banner is reset to the system default banner.
Example
ndr-sensor> clear banner
Clears/Delete all management interfaces in the system. This only empties
the management interface list and does not affect the underlying network interface.
Example
ndr-sensor> clear management-interfaces
All the management interfaces have been deleted!
Clear all name servers from the DNS configuration.
Example
ndr-sensor> clear name-servers
Resets configured password complexity requirements to default.
Example
ndr-sensor> clear password-complexity
Remove all domain names from the DNS search list.
Example
ndr-sensor> clear search-domains
Configure the SSH service to not start on boot.
Example
ndr-sensor> clear service ssh start-on-boot
Clears/Delete all sniffing interfaces in the system. No packets will be
captured after clearing the sniffing interfaces. This only empties the sniffing interface list
and does not affect the underlying network interface.
Example
ndr-sensor> clear sniffing-interfaces
All sniffing interfaces have been deleted successfully!
It may take up to a minute for deletion/unbinding to complete and
sniffing service to stop, check cmd 'get service sniffing'
Disable SSH Root login property
Example
ndr-sensor> clear ssh root-login
Disable password expiration for the user.
| Option | Description |
|---|---|
| <username> | Username of user |
Example
ndr-sensor> clear user audit password-expiration
Disable password expiration warning for the user.
| Option | Description |
|---|---|
| <username> | Username of user |
Example
ndr-sensor> clear user audit password-expiration-warning
Copy system generated core dumps to a remote destination.
| Option | Description |
|---|---|
| <filepath> | Path of generated core dump file |
| <url> | Remote file url (e.g. scp://username@ip_address/filepath/filename) |
Example
ndr-sensor> copy core-dump test.1559278043.gz url scp://[email protected]/tmp/
[email protected]'s password:
Copy a local file to a remote destination.
| Option | Description |
|---|---|
| <filename> | Existing file argument |
| <url> | Remote file url (e.g. scp://username@ip_address/filepath/filename) |
Example
ndr-sensor> copy file support-bundle-0.tgz url scp://[email protected]/home/admin/
[email protected]'s password:
or
ndr-sensor> copy file support-bundle-0.tgz url scp://admin@[fd01:1:2:2919:0:a:0:d03]/home/admin/
admin@fd01:1:2:2919:0:a:0:d03's password:
Copy a remote file to the local file store. If no destination file is specified, the copied file has the same file name as the source file. You can use the
To specify IPv6 remote addresses, url server should be enclosed between square brackets.
file argument to specify a different destination file name.To specify IPv6 remote addresses, url server should be enclosed between square brackets.
| Option | Description |
|---|---|
| <url> | Remote file url (e.g. scp://username@ip_address/filepath/filename) |
| <filename> | Filename argument Allowed pattern: ^[^/ *;&|]+$ |
Example
ndr-sensor> copy url scp://[email protected]/home/admin/file-0.txt
[email protected]'s password:
or
ndr-sensor> copy url scp://[email protected]/home/admin/file-1.txt file newfile-1.txt
[email protected]'s password:
or
ndr-sensor> copy url scp://admin@[fd01:1:2:2919:0:a:0:d03]/home/admin/file-1.txt file newfile-1.txt
admin@fd01:1:2:2919:0:a:0:d03's password:
Copy a remote https url file to local file using same filename.
| Option | Description |
|---|---|
| <url> | Remote file url (e.g. scp://username@ip_address/filepath/filename) |
| <thumbprint> | Remote host thumbprint |
Delete core dump files in the system.
| Option | Description |
|---|---|
| <filepath> | Path of generated core dump file |
Example
ndr-sensor> del core-dump /var/log/core/test.1559278043.gz
Delete a local file.
| Option | Description |
|---|---|
| <filepattern> | Existing file or pattern argument |
Example
ndr-sensor> del file support-bundle-0.tgz
ndr-sensor> del file support*
Delete a set management interface from the system. This only removes the interface from
the management interface list, and does not delete the network interface from the system.
| Option | Description |
|---|---|
| <management-interface> | Management interface argument. |
Example
ndr-sensor> del management-interface eth0
Management interface deleted successfully!
Delete the specified name server from the DNS configuration.
| Option | Description |
|---|---|
| <ip-address> | Name server IP v4 or v6 address argument |
Example
ndr-sensor> del name-server 192.168.110.11
Remove an existing NTP server.
| Option | Description |
|---|---|
| <hostname-or-ip-address> | A hostname or IP address |
Example
ndr-sensor> del ntp-server 172.31.32.2
Delete the specified network IPv4 or IPv6 route. Default value for the IPv6 route metric is 1024.
| Option | Description |
|---|---|
| <prefix-ipv46> | CIDR notation argument for IPv4/IPv6 address |
| <ip-route-metric> | IP route metric argument Allowed pattern: ^[0-9]+$ |
| <gateway-ipv46> | Gateway IPv4/IPv6 address argument |
| <interface-name> | Configurable network interface argument |
Example
ndr-sensor> del route prefix 10.79.224.0/20 gateway 10.78.239.254
or
ndr-sensor> del route prefix fd01:0:106:10::/64 interface eth0
or
ndr-sensor> del route prefix fd01:0:106:10::/64 gateway fd01:0:106:10::253
or
ndr-sensor> del route prefix fd01:0:106:8::/64 gateway fe80::106:8:1 metric 256
Delete the specified domain name from the DNS search list.
| Option | Description |
|---|---|
| <domain> | Search domain argument |
Example
ndr-sensor> del search-domains eng.example.com
Delete a set sniffing interface from the system. This only removes the interface from
the sniffing interface list, and does not delete the network interface from the system.
Once removed from configuration, the sniffing on the interface will stop.
| Option | Description |
|---|---|
| <sniffing-interface> | Sniffing interface argument. |
Example
ndr-sensor> del sniffing-interface eth0
Sniffing interface deleted successfully!
It may take up to a minute for deletion/unbinding to complete and
sniffing service to stop, check cmd 'get service sniffing'
Delete the IP address associated with the sniffing interface in the system.
| Option | Description |
|---|---|
| <sniffing-interface> | Sniffing interface argument. |
Example
ndr-sensor> del sniffing-interface-ip eth0
Sniffing interface ip deleted successfully!
Properties of the sniffing interface can be seen through cmd 'get sniffing-interfaces'
Delete the specified host entry from the SSH known hosts file.
| Option | Description |
|---|---|
| <hostname-or-ip-address[:port]> | A hostname or IPv4 or IPv6 address with optional port delimited by a colon |
Example
ndr-sensor> del ssh-known-host 192.168.110.105
Delete any SSH key with specified label from specified user's authorized_keys file. If password is not provided in the command then you are prompted to enter it. Password is required only for users root and admin.
| Option | Description |
|---|---|
| <username> | Username of user |
| <key-label> | Unique label for SSH key |
| <password> | Password of user |
Example
ndr-sensor> del user admin ssh-keys label user1@domain1 password Pa$$w0rd
or
ndr-sensor> del user admin ssh-keys label user1@domain1
Password (required only for users root and admin):
Exit the CLI.
Example
ndr-sensor> exit
Display the ARP table (includes information about internal interfaces)
Example
ndr-sensor> get arp-table
Protocol Address Hardware Addr Type Interface
Internet 192.168.110.201 00:50:56:a9:8a:8c ether eth0
Internet 192.168.110.101 00:50:56:a9:45:29 ether eth0
Internet 192.168.110.1 68:ef:bd:4e:98:7f ether eth0
Internet 192.168.110.10 00:50:56:a6:e0:14 ether eth0
Get the amount of time, in seconds, that an account will remain locked
out of the CLI after exceeding the maximum number of failed
authentication attempts.
Example
ndr-sensor> get auth-policy cli lockout-period
900 seconds
Get the number of failed CLI authentication attempts that are
allowed before the account is locked. If set to 0, account
lockout is disabled.
Example
ndr-sensor> get auth-policy cli max-auth-failures
3
Get the minimum number of characters that passwords must have.
Example
ndr-sensor> get auth-policy minimum-password-length
8 characters
Show Sensor Certificate in the system.
| Option | Description |
|---|---|
| <certificate-entity> | Entity for which the certificate will be updated. Allowed values: SENSOR, SSP-INGRESS, SSP-KAFKA |
Example
ndr-sensor> get certificate SENSOR
SENSOR certificate:
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIJANRGq2lKT8scMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhQYWxvQWx0bzEP
MA0GA1UEChMGVm13YXJlMQ8wDQYDVQQLEwZWbXdhcmUxEDAOBgNVBAMTB2NhLWNl
.
.
6XmDb5r6DIDbBJdULzSO720YpV8lFMPlmkQnuCmuW8bioDKHOwgm
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIJAM773rzv6gBdMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhQYWxvQWx0bzEP
.
.
vLVQ/pcPoulJ7PHNlySiCg2PvTSAfv42oOeCQm9Jv/1ekRoNlSg3fIAlfhSPfS/p
OE59fo12HtdyTf9VHMLuwSEHb79B4iFHyLpJmTyxvQsq2D9CZjNau3I7twFBbBuN
8pVeDKPHTLKwVuieC9jH48OYZHvVZLDqaQ6ssOVlAKw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIJAM773rzv6gBdMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhQYWxvQWx0bzEP
MA0GA1UEChMGVm13YXJlMQ8wDQYDVQQLEwZWbXdhcmUxEDAOBgNVBAMTB2NhLWNl
cnQwHhcNMjQwMzA4MDYxNDA4WhcNMzQwMzA2MDYxNDA4WjBpMQswCQYDVQQGEwJV
.
.
dJpRRw9g3k011v6QrF3Tr8z5hd6su3zUArNpKo80gbNL05obcioO3eP+DcRTaYHr
3I7mHzjBWJ7dHG5sFdVRHszAJiGBS+5TgcC+cvjwzPhBgWXMKy4G02zmk2Dy6sok
vLVQ/pcPoulJ7PHNlySiCg2PvTSAfv42oOeCQm9Jv/1ekRoNlSg3fIAlfhSPfS/p
OE59fo12HtdyTf9VHMLuwSEHb79B4iFHyLpJmTyxvQsq2D9CZjNau3I7twFBbBuN
8pVeDKPHTLKwVuieC9jH48OYZHvVZLDqaQ6ssOVlAKw=
-----END CERTIFICATE-----
Show status to display datetime stamp in command output.
Example
ndr-sensor> get cli-output datetime
Output datetime is: enabled
Show inactivity timeout in seconds.
Example
ndr-sensor> get cli-timeout
1200 seconds
Display the current date and time.
Example
ndr-sensor> get clock
Wed Sep 17 2025 UTC 09:57:07.472
Timezone: UTC (UTC, +0000)
NTP Sync Status: yes
Display the commands history in command output.
To show all command history set size to 0.
To show all command history set size to 0.
Example
ndr-sensor> get command history
1 Fri Sep 12 2025 UTC 06:50:29.764 get version
2 Fri Sep 12 2025 UTC 06:51:56.032 help
3 Fri Sep 12 2025 UTC 08:38:43.930 get sensor details
4 Fri Sep 12 2025 UTC 08:38:47.702 set ssh root-login
Get core dump generation and rotation configurations
Example
ndr-sensor> get core-dump config
Core dump files global limit: 2
Core dump files global frequency threshold: 600
Display information about the core dump files in the system.
Example
ndr-sensor> get core-dumps
Directory: /var/log/core
24950960 Jun 10 2025 12:24:27 UTC core.sample.1559278043.gz
Display the system CPU information.
Example
ndr-sensor> get cpu-stats
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 62
model name : Intel(R) Xeon(R) CPU E5-2440 v2 @ 1.90GHz
stepping : 4
microcode : 0x427
cpu MHz : 1900.000
cache size : 20480 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc aperfmperf pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm ida arat pln pts dtherm fsgsbase tsc_adjust smep
bogomips : 3800.00
clflush size : 64
cache_alignment : 64
address sizes : 42 bits physical, 48 bits virtual
power management:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 62
model name : Intel(R) Xeon(R) CPU E5-2440 v2 @ 1.90GHz
stepping : 4
microcode : 0x427
cpu MHz : 1900.000
cache size : 20480 KB
physical id : 2
siblings : 1
core id : 0
cpu cores : 1
apicid : 2
initial apicid : 2
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc aperfmperf pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm ida arat pln pts dtherm fsgsbase tsc_adjust smep
bogomips : 3800.00
clflush size : 64
cache_alignment : 64
address sizes : 42 bits physical, 48 bits virtual
power management:
List all the docker containers in the system (equivalent of 'docker ps -a').
Example
ndr-sensor> get docker-containers
ID NAME TAG STATUS
ee220287f0 sensor-service sensor-client-service:ob-29041701 running
4bbf2ba848 sensor-uploading-sensor-uploading-internal-queues-1 sensor-uploading-daemon:86.56.jammy running
302c9a0312 sensor-uploading-sensor-uploading-flow-1 sensor-uploading-daemon:86.56.jammy running
0703c78dda sensor-health-sensor-health-daemon-1 sensor-health-daemon:44.40.jammy running
2cb55ad92d rabbitmq rabbitmq:3.12.12 running
List docker images in the system (equivalent of 'docker images').
Example
ndr-sensor> get docker-images
ID TAGS
sha256:33ec367ee2 timon-update:138.42.jammy
sha256:2da07965d5 timon:138.42.jammy
sha256:de1786cc49 sensor-uploading-daemon:86.56.jammy
sha256:57144f327a suricata-eve-daemon:348.51.jammy
sha256:cd01cd7f3f sensor-health-daemon:44.40.jammy
sha256:5b40cd14d6 analyst-sdk-reverse-proxy:476.29.jammy
sha256:7cfbecf423 analyst-sdk-nginx:476.29.jammy
sha256:4cb0304370 analyst-sdk:476.29.jammy
sha256:25589494ae avbd-scan:52.4.jammy
sha256:5a782776ef ullar:73.8.jammy
sha256:4d036a3d24 java-common:ob-24275237
sha256:393f6753e9 rabbitmq:3.12.12
sha256:e89b92b1e7 memcached:1.6.23
sha256:617af6598b sensor-client-service:sb-89041701
Display information about the specified file in the filestore.
| Option | Description |
|---|---|
| <filename> | Existing file argument |
Example
ndr-sensor> get file support-bundle-0.tgz
Directory of filestore:/
-rw- 24932275 Feb 05 2016 05:58:46 UTC support-bundle-0.tgz
Display the file thumbprint.
| Option | Description |
|---|---|
| <filename> | Existing file argument |
Example
ndr-sensor> get file support-bundle-0.tgz thumbprint
SHA1SUM: d0fc5c741bdc0be8eacce3e8f581b74c32bc4d62
SHA256SUM: 13cfaccbfc44193eaee3a729b6c4a810b276df6d8086fc82ed1720d23906473d
Display information about the files in the filestore.
Example
ndr-sensor> get files
Directory of filestore:/
-rw- 24950960 Feb 05 2016 05:59:23 UTC support-bundle-1.tgz
-rw- 24932275 Feb 05 2016 05:58:46 UTC support-bundle-0.tgz
Display the file system information.
Example
ndr-sensor> get filesystem-stats
ndr-sensor-589b7182> get filesystem-stats
Filesystem Size Used Avail Use% Mounted on
tmpfs 2.0G 1.4M 2.0G 1% /run
/dev/sda4 33G 9.0G 22G 30% /
tmpfs 9.7G 4.0K 9.7G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
/dev/mapper/sensor-config 14G 56K 14G 1% /config
/dev/mapper/sensor-data 66G 53M 62G 1% /data
/dev/mapper/sensor-image 19G 40K 18G 1% /image
/dev/mapper/sensor-config__bak 14G 24K 14G 1% /config_bak
/dev/mapper/sensor-tmp 3.7G 56K 3.5G 1% /tmp
/dev/mapper/sensor-var+dump 19G 24K 18G 1% /var/dump
/dev/mapper/sensor-var+log 42G 172M 40G 1% /var/log
/dev/sda3 943M 7.2M 871M 1% /boot
/dev/sda5 33G 24K 31G 1% /os_bak
/dev/sda2 499M 4.0K 499M 1% /boot/efi
Display GRUB menu timeout.
Example
ndr-sensor> get grub menu timeout
GRUB Menu Timeout = 4
List all the home networks in the system.
Example
ndr-sensor> get home-networks
There are 3 home networks configured
HOME-NETWORK(CIDR)
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Display the system hostname.
Example
ndr-sensor> get hostname
ndr-sensor
Display information about the specified network interface.
| Option | Description |
|---|---|
| <interface-name> | Network interface argument |
Example
ndr-sensor> get interface eth0
Interface: eth0
IPv4 Address:
Address: 10.196.198.191/22
MAC address: 00:50:56:88:9f:a8
MTU: 1500
Default gateway: 10.196.199.253
Broadcast address: 10.196.199.255
IPv6 Address:
- Address: fe80::250:56ff:fe88:9fa8/64
Link status: up
Admin status: up
RX packets: 413875
RX bytes: 25087126
RX errors: 0
RX dropped: 0
TX packets: 10014
TX bytes: 3264741
TX errors: 0
TX dropped: 0
TX collisions: 0
PCI Address: 0000:03:00.0
Display information about all network interfaces.
Example
ndr-sensor> get interfaces
Interface: eth0
IPv4 Address:
Address: 10.80.19.26/23
MAC address: 00:50:56:a4:43:cd
MTU: 1500
Default gateway: 10.80.18.1
Broadcast address: 10.80.19.255
Link status: up
Admin status: up
RX packets: 1085470
RX bytes: 65896628
RX errors: 0
RX dropped: 0
TX packets: 12419
TX bytes: 7391709
TX errors: 0
TX dropped: 0
TX collisions: 0
PCI Address: 0000:03:00.0
Interface: eth1
IPv4 Address:
Address: 10.80.19.110/23
MAC address: 00:50:56:a4:49:8d
MTU: 1500
Broadcast address: 10.80.19.255
Link status: up
Admin status: up
RX packets: 1068902
RX bytes: 64552311
RX errors: 0
RX dropped: 0
TX packets: 2
TX bytes: 684
TX errors: 0
TX dropped: 0
TX collisions: 0
PCI Address: 0000:0b:00.0
Display the contents of the specified log file.
| Option | Description |
|---|---|
| <filename> | Log file name |
Example
ndr-sensor> get log-file sensor-client-service.log
<30>1 2025-08-21T17:56:56.560Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.001Z WARN main WebSecurity 8 You are asking Spring Security to ignore Ant [pattern='/ws/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
<30>1 2025-08-21T17:56:56.561Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.002Z INFO main DefaultSecurityFilterChain 8 Will not secure Ant [pattern='/ws/**']
<30>1 2025-08-21T17:56:56.806Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.076Z INFO main DefaultSecurityFilterChain 8 Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@3cb8c8ce, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1fde0371, org.springframework.security.web.context.SecurityContextPersistenceFilter@7c8f9c2e, org.springframework.security.web.header.HeaderWriterFilter@8f2098e, org.springframework.security.web.authentication.logout.LogoutFilter@7187bac9, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3cbf1ba4, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7c1e32c9, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@70c0a3d5, org.springframework.security.web.session.SessionManagementFilter@6631cb64, org.springframework.security.web.access.ExceptionTranslationFilter@7fd8c559, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@66213a0d]
<30>1 2025-08-21T17:56:56.800Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.726Z INFO main EndpointLinksResolver 8 Exposing 1 endpoint(s) beneath base path '/actuator'
<30>1 2025-08-21T17:56:56.006Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.759Z INFO main Http11NioProtocol 8 Starting ProtocolHandler ["http-nio-8080"]
<30>1 2025-08-21T17:56:56.886Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.790Z INFO main TomcatWebServer 8 Tomcat started on port(s): 8080 (http) with context path ''
<30>1 2025-08-21T17:56:56.450Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.808Z INFO main SensorClientServiceApplication 8 Started SensorClientServiceApplication in 6.572 seconds (JVM running for 8.685).
.
.
Display the last 10 lines of the specified log file and all new messages that are written to the log file.
| Option | Description |
|---|---|
| <filename> | Log file name |
Example
ndr-sensor> get log-file sensor-client-service.log follow
<30>1 2025-08-21T17:56:56.560Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.001Z WARN main WebSecurity 8 You are asking Spring Security to ignore Ant [pattern='/ws/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
<30>1 2025-08-21T17:56:56.561Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.002Z INFO main DefaultSecurityFilterChain 8 Will not secure Ant [pattern='/ws/**']
<30>1 2025-08-21T17:56:56.806Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.076Z INFO main DefaultSecurityFilterChain 8 Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@3cb8c8ce, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1fde0371, org.springframework.security.web.context.SecurityContextPersistenceFilter@7c8f9c2e, org.springframework.security.web.header.HeaderWriterFilter@8f2098e, org.springframework.security.web.authentication.logout.LogoutFilter@7187bac9, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3cbf1ba4, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7c1e32c9, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@70c0a3d5, org.springframework.security.web.session.SessionManagementFilter@6631cb64, org.springframework.security.web.access.ExceptionTranslationFilter@7fd8c559, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@66213a0d]
<30>1 2025-08-21T17:56:56.800Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.726Z INFO main EndpointLinksResolver 8 Exposing 1 endpoint(s) beneath base path '/actuator'
<30>1 2025-08-21T17:56:56.006Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.759Z INFO main Http11NioProtocol 8 Starting ProtocolHandler ["http-nio-8080"]
<30>1 2025-08-21T17:56:56.886Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.790Z INFO main TomcatWebServer 8 Tomcat started on port(s): 8080 (http) with context path ''
<30>1 2025-08-21T17:56:56.450Z ndr-sensor-589b7182 NSX 1642 Sensor 2025-08-21T17:56:56.808Z INFO main SensorClientServiceApplication 8 Started SensorClientServiceApplication in 6.572 seconds (JVM running for 8.685).
.
.
List all the network management interfaces in the system.
Example
ndr-sensor> get management-interfaces
1 management interfaces are configured:
IF NAME PCI ADDRESS MAC ADDRESS
eth0 0000:03:00.0 00:50:56:ac:89:84
Display the system memory information.
Example
ndr-sensor> get memory-stats
MemTotal: 20330776 kB
MemFree: 12973784 kB
MemAvailable: 14517480 kB
Buffers: 792880 kB
Cached: 946712 kB
SwapCached: 0 kB
Active: 1628540 kB
Inactive: 1097804 kB
Active(anon): 1024064 kB
Inactive(anon): 0 kB
Active(file): 604476 kB
Inactive(file): 1097804 kB
Unevictable: 27580 kB
Mlocked: 27580 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Zswap: 0 kB
Zswapped: 0 kB
Dirty: 356 kB
Writeback: 0 kB
AnonPages: 1014336 kB
Mapped: 299136 kB
Shmem: 28560 kB
KReclaimable: 120180 kB
Slab: 554796 kB
SReclaimable: 120180 kB
SUnreclaim: 434616 kB
KernelStack: 8096 kB
PageTables: 8296 kB
SecPageTables: 0 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 8217740 kB
Committed_AS: 2469492 kB
VmallocTotal: 34359738368 kB
VmallocUsed: 22348 kB
VmallocChunk: 0 kB
Percpu: 26928 kB
HardwareCorrupted: 0 kB
AnonHugePages: 0 kB
ShmemHugePages: 0 kB
ShmemPmdMapped: 0 kB
FileHugePages: 0 kB
FilePmdMapped: 0 kB
Unaccepted: 0 kB
HugePages_Total: 1902
HugePages_Free: 1902
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
Hugetlb: 3895296 kB
DirectMap4k: 6016 kB
DirectMap2M: 4188160 kB
DirectMap1G: 18874368 kB
Get all name servers in the DNS configuration.
Example
ndr-sensor> get name-servers
192.168.110.10
192.168.110.11
Display the system network statistics for non-sniffing interfaces.
Example
ndr-sensor> get network-stats
Ip:
Total packets received: 165414209
Forwarded: 0
Incoming packets discarded: 0
Incoming packets delivered: 165187515
Requests sent out: 165175926
Icmp:
ICMP messages received: 157
ICMP messages failed: 5
ICMP input histogram:
Destination unreachable: 152
ICMP messages sent: 151
ICMP messages failed: 0
ICMP output histogram:
Destination unreachable: 151
IcmpMsg:
InType3: 152
InType8: 5
OutType3: 151
Tcp:
Active connections openings: 277703
Passive connection openings: 274411
Failed connection attempts: 3339
Connection reset attempts: 4921
Connections established: 160
Segments received: 164687995
Segments sent out: 164695227
Segments retransmitted: 28845
Bad segments received: 0
Resets sent: 22503
Udp:
Packets received: 499183
Packets to unknown port received: 151
Packet receive errors: 1
Packets sent: 454814
RcvbufErrors: 0
SndbufErrors: 0
UdpLite:
InDatagrams: 0
NoPorts: 0
InErrors: 0
OutDatagrams: 0
RcvbufErrors: 0
SndbufErrors: 0
Display the status of the NTP system. The delay, offset and dispersion values are in seconds.
Example
ndr-sensor> get ntp-server associations
Mon Jul 28 2025 UTC 10:13:31.211
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
192.168.0.1 17 8 1101 -0.006 3.898 -207ns 1254us
Display all NTP servers.
Example
ndr-sensor> get ntp-servers
0.ubuntu.pool.ntp.org
1.ubuntu.pool.ntp.org
2.ubuntu.pool.ntp.org
3.ubuntu.pool.ntp.org
ntp.ubuntu.com
Get configured password complexity requirements.
Example
ndr-sensor> get password-complexity
- minimum 12 characters in length
- maximum 128 characters in length
- minimum 1 lowercase characters
- minimum 1 uppercase characters
- minimum 1 numeric characters
- minimum 1 special characters
- default password complexity rules as enforced by the Linux PAM module
Display a snapshot of the system processes.
Example
ndr-sensor> get processes
top - 01:12:28 up 3 days, 1:51, 1 user, load average: 0.06, 0.05, 0.07
Tasks: 133 total, 1 running, 132 sleeping, 0 stopped, 0 zombie
%Cpu(s): 4.2 us, 0.9 sy, 0.0 ni, 94.7 id, 0.2 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 16430712 total, 2604180 used, 13826532 free, 324432 buffers
KiB Swap: 3997692 total, 0 used, 3997692 free. 460404 cached Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 33216 2564 1460 S 0.0 0.0 2:51.13 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:02.21 ksoftirqd/0
4 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0
5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
7 root 20 0 0 0 0 S 0.0 0.0 1:23.74 rcu_preempt
8 root 20 0 0 0 0 S 0.0 0.0 0:39.39 rcuop/0
.
.
.
Display information about processes that are running. The display is updated every few seconds.
Example
ndr-sensor> get processes monitor
top - 10:05:29 up 16:09, 0 user, load average: 0.06, 0.21, 0.22
Tasks: 285 total, 1 running, 284 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.1 us, 0.2 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
MiB Mem : 19854.3 total, 13139.3 free, 5627.8 used, 1388.9 buff/cache
MiB Swap: 0.0 total, 0.0 free, 0.0 used. 14226.5 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1583 root 20 0 2022648 56892 34688 S 1.0 0.3 14:22.19 containerd
2784 mpa 20 0 3709956 134360 64256 S 0.7 0.7 7:36.00 beam.smp
4046 sensor-+ 20 0 217504 40664 6912 S 0.7 0.2 2:44.03 internal_queues
.
.
.
Display specific IPv4 or IPv6 routes for the prefix.
| Option | Description |
|---|---|
| <prefix-ipv46> | CIDR notation argument for IPv4/IPv6 address |
Example
ndr-sensor> get route prefix 192.168.110.0/24
192.168.110.0/24 interface eth0
or
ndr-sensor> get route prefix fd01:0:106:10::/64
fd01:0:106:8::/64 interface eth0 metric 256
fd01:0:106:8::/64 gateway fe80::106:8:1 interface eth0 metric 512
Display all configured IPv4 and IPv6 routes.
Example
ndr-sensor> get routes
0.0.0.0/0 gateway 10.78.239.254 interface eth0
10.78.224.0/20 interface eth0
fd01:0:106:8::/64 interface eth0 metric 256
fd01:0:106:8::/64 gateway fe80::106:8:1 interface eth0 metric 512
fe80::/64 interface eth0 metric 256
::/0 gateway fe80::106:8:1 interface eth0 metric 1024
Display all configured IPv4 or IPv6 routes.
| Option | Description |
|---|---|
| <ip-address-type> | IP address type argument Allowed values: ipv4, ipv6 |
Example
ndr-sensor> get routes ipv4
0.0.0.0/0 gateway 10.78.239.254 interface eth0
10.78.224.0/20 interface eth0
or
ndr-sensor> get routes ipv6
fd01:0:106:8::/64 interface eth0 metric 256
fd01:0:106:8::/64 gateway fe80::106:8:1 interface eth0 metric 512
fe80::/64 interface eth0 metric 256
::/0 gateway fe80::106:8:1 interface eth0 metric 1024
Get all domain names in the DNS search list.
Example
ndr-sensor> get search-domains
eng.example.com
corp.example.com
example.com
List all details specific to the sensor.
Example
ndr-sensor> get sensor details
Sensor is currently in : REGISTRATION_SUCCEEDED state
Sensor properties:
Version: 5.1.0.0.0.24953345
Registered sensor name: Sensor-test
Sensor UUID: d0b09372-6a30-4791-abfa-a6cde70ccc53
Registered with SSP Ingress FQDN: ssp-api.example.com
Error code: 0
Error message: None
Display information about the specified service.
| Option | Description |
|---|---|
| <service-name> | Node service argument |
Example
ndr-sensor-d0b09372> get service sniffing
Service name: sniffing
Service state: running
Get the log level of the Rapid service. This service is responsible for analyzing files for malware threats
Example
ndr-sensor> get service rapid logging-level
Service: rapid
Component: rapid
Logging level: debug
Get the log level of the sensor-container-orchestration service. This service is the central logic that manages the lifecycle of all the other containerized application services, making sure the sensor is always running the right components based on its current configuration and status.
Example
ndr-sensor> get service sensor-container-orchestration logging-level
Service: sensor-container-orchestration
Logging level: debug
Get the log level of the sensor-health service. This service detects the health of each of the core services.
Example
ndr-sensor> get service sensor-health logging-level
Service: sensor-health
Component: sensor-health-daemon
Logging level: debug
Get the log level of the sensor-service service. Sensor client service is responsible for communicating with Security Services Platform (SSP) and managing configuration of the sensor.
Example
ndr-sensor> get service sensor-service logging-level
Service: sensor-service
Component: sensor-service
Logging level: debug
Get the logging level of a component within sensor-uploading service. This service is responsible for processing and sending all critical security events (like IDS alerts, malware analysis results, and network flows) to the Security Services Platform (SSP).
| Option | Description |
|---|---|
| <component> | Sensor uploading service logging component argument. |
Example
ndr-sensor> get service sensor-uploading component sensor-uploading-alert logging-level
Service: sensor-uploading
Component: sensor-uploading-alert
Logging level: debug
Get the log level of the sensor-uploading service. This service is responsible for processing and sending all critical security events (like IDS alerts, malware analysis results, and network flows) to the Security Services Platform (SSP).
Example
ndr-sensor> get service sensor-uploading logging-level
Service: sensor-uploading
Component: sensor-uploading-alert
Logging level: info
Component: sensor-uploading-antimalware
Logging level: info
Component: sensor-uploading-flow
Logging level: info
Component: sensor-uploading-internal-queues
Logging level: info
Component: sensor-uploading-json-dump
Logging level: info
Component: sensor-uploading-pcap
Logging level: info
Component: sensor-uploading-upload-kafka
Logging level: info
Get the log level of the sniffing service. Sniffing service is responsible for capturing network traffic.
Example
ndr-sensor> get service sniffing logging-level
Service: sniffing
Component: timon-daemon
Logging level: info
Component: timon-update
Logging level: info
Component: suricata-eve-stats
Logging level: info
Component: suricata-eve-alert
Logging level: info
Component: suricata-eve-flow
Logging level: info
Component: suricata-eve-pcap
Logging level: info
Get the logging level of a component within sniffing service. Sniffing service is responsible for capturing network traffic.
| Option | Description |
|---|---|
| <component> | sniffing service logging component argument. |
Example
ndr-sensor> get service sniffing component timon-daemon logging-level
Service: sniffing
Component: timon-daemon
Logging level: debug
Display information about all services.
Example
ndr-sensor> get services
Service name: cert-gen
Service state: running
Service name: chrony
Service state: running
Service name: docker
Service state: running
Service name: node-mgmt
Service state: running
Service name: rabbitmq
Service state: running
Service name: rapid
Service state: running
Service name: sensor-container-orchestration
Service state: running
Service name: sensor-health
Service state: running
Service name: sensor-service
Service state: running
Service name: sensor-uploading
Service state: running
Service name: sniffing
Service state: running
Service name: ssh
Service state: running
Start on boot: True
Root login: enabled
Service name: syslog
Service state: running
List all the network sniffing interfaces in the system.
Example
ndr-sensor> get sniffing-interfaces
Available modes for sniffing as per appliance configuration are
1 - COMPAT
2 - NATIVE (Default mode)
1 sniffing interfaces are configured:
IF NAME PCI ADDRESS MAC ADDRESS MTU MODE-STATUS IP-ADDRESS
eth1 0000:0b:00.0 00:0c:29:88:9d:65 1500 NATIVE-MODE-CONFIG-SUCCEEDED 10.80.18.201
Display active network connections.
Example
ndr-sensor> get sockets
Proto Remote Port Local Port In Out
tcp --listen-- 127.0.0.1 7440 0 0
tcp --listen-- 127.0.0.1 9200 0 0
tcp --listen-- 127.0.0.1 7441 0 0
tcp --listen-- --any-- 4369 0 0
tcp --listen-- 192.168.110.42 65012 0 0
tcp --listen-- 127.0.0.1 9300 0 0
tcp --listen-- 127.0.0.1 53 0 0
tcp --listen-- --any-- 22 0 0
tcp --listen-- --any-- 15671 0 0
tcp --listen-- --any-- 7000 0 0
tcp --listen-- --any-- 443 0 0
tcp --listen-- 127.0.0.1 2812 0 0
tcp --listen-- 192.168.110.42 7070 0 0
tcp --listen-- 192.168.110.42 7071 0 0
tcp --listen-- 127.0.0.1 32000 0 0
tcp --listen-- --any-- 8001 0 0
tcp --listen-- 127.0.0.1 32001 0 0
.
.
.
Display the contents of the tech support bundle. Specify the
file argument to save the bundle to a file with the specified file name in the file store. This support bundle does not contain core or audit log files. To include those files, specify the all argument. Core files contain system information and all information stored in memory at the time of the dump (this may include confidential, sensitive or personal information such as passwords and encryption keys, if they are being processed in memory at that time). If you choose to send the support bundle to VMware, it will be processed in accordance with VMware's standard processes and policies, to provide you with support, fix problems and improve the product and services.
| Option | Description |
|---|---|
| <filename> | Name of file to generate, for example support-bundle.tgz Allowed pattern: ^[^/ *;&|]+$ |
Example
ndr-sensor> get support-bundle
--------------------------------------------------------------------------------
/usr/sbin/arp -n
--------------------------------------------------------------------------------
Address HWtype HWaddress Flags Mask Iface
172.18.0.5 ether 02:42:ac:12:00:05 C br-0475930e3e1b
10.80.18.1 ether 00:00:00:11:11:11 C eth0
--------------------------------------------------------------------------------
/bin/df -lT -x securityfs
--------------------------------------------------------------------------------
Filesystem Type 1K-blocks Used Available Use% Mounted on
tmpfs tmpfs 2033080 1372 2031708 1% /run
/dev/sda4 ext4 34138800 9428236 22944164 30% /
tmpfs tmpfs 10165388 4 10165384 1% /dev/shm
tmpfs tmpfs 5120 0 5120 0% /run/lock
/dev/mapper/sensor-config ext4 14657416 56 13891000 1% /config
/dev/mapper/sensor-data ext4 68318528 55888 64746432 1% /data
/dev/mapper/sensor-image ext4 19506412 40 18490156 1% /image
/dev/mapper/sensor-config__bak ext4 14657416 24 13891032 1% /config_bak
/dev/mapper/sensor-tmp ext4 3853768 56 3637444 1% /tmp
/dev/mapper/sensor-var+dump ext4 19506412 24 18490172 1% /var/dump
/dev/mapper/sensor-var+log ext4 43533328 175384 41121040 1% /var/log
/dev/sda3 ext4 964900 7300 891248 1% /boot
/dev/sda5 ext4 34138800 24 32372376 1% /os_bak
/dev/sda2 vfat 510952 4 510948 1% /boot/efi .
.
.
ndr-sensor> get support-bundle file support-bundle.tgz
support-bundle.tgz created, use the following command to transfer the file:
copy file support-bundle.tgz url
After transferring support-bundle.tgz, extract it using: tar xzf support-bundle.tgz
ndr-sensor> get support-bundle file support-bundle-all.tgz all
support-bundle-all.tgz created, use the following command to transfer the file:
copy file support-bundle-all.tgz url
After transferring support-bundle-all.tgz, extract it using: tar xzf support-bundle-all.tgz
Display the status of the upgrade steps run on the node and details of last upgrade step.
Example
ndr-sensor> get upgrade progress-status
Upgrade info:
From-version: 5.1.0.0.0.62664213
To-version: 5.2.0.0.0.62665246
Upgrade steps:
shutdown_sensor_services [2025-06-22 14:01:23.323716 - 2025-06-22 14:01:23.323716] SUCCESS:
install_os [2025-06-22 14:01:23.323716 - 2025-06-22 14:10:23.323716] SUCCESS:
switch_os [2025-06-22 14:10:23.323716 - 2025-06-22 14:20:23.323716] SUCCESS:
startup_sensor_services [2025-06-22 14:25:23.323716 - 2025-06-22 14:27:23.323716] SUCCESS:
finish_upgrade [2025-06-22 14:27:23.323716 - 2025-06-22 14:30:23.323716] SUCCESS:
Display the contents of the specified playbook for the specified upgrade bundle.
| Option | Description |
|---|---|
| <bundle-name> | Name of NDR Sensor upgrade bundle in the file store |
| <playbook-file> | Name of Playbook file to use |
Example
ndr-sensor> get upgrade-bundle VMware-ndr-sensor-appliance-5.2.0.0.0.62665246 playbook VMware-ndr-sensor-appliance-5.2.0.0.0.62665246-playbook
steps:
- name: shutdown_sensor_services
- name: install_os
- name: switch_os
- name: startup_sensor_services
- name: finish_upgrade
Display all playbooks in the file store.
Example
ndr-sensor> get upgrade-bundle playbooks
playbook
VMware-ndr-sensor-appliance-5.2.0.0.0.62665246-playbook
Display the system uptime information.
Example
ndr-sensor> get uptime
16:34:39 up 15 days, 16:16, 1 user, load average: 0.55, 0.25, 0.26
Get number of days the user's password is valid after a password change and number of days before user receives password expiration warning message.
| Option | Description |
|---|---|
| <username> | Username of user |
Example
ndr-sensor> get user audit password-expiration
Password expires 90 days after last change
Current password will expire in 80 days
User will receive warning messages 10 days before password expires.
Get user status for specified non-root user.
| Option | Description |
|---|---|
| <username> | Username of user |
Example
ndr-sensor> get user audit status
Full name:
Username: audit
Status: ACTIVE
Get SSH keys from authorized_keys file for specified user.
| Option | Description |
|---|---|
| <username> | Username of user |
Example
ndr-sensor> get user admin ssh-keys
label: user1@domain1
type: ssh-rsa
value:
AAAAB3NzaC1yc2EAAAABIwAAAIEAywWhrwq4FjHt+UuwZcZePxtjtZOENFpOjufycaYso2nTlzNwnAQEQRfbqsUxKVtOtGxgApIkUvjRIjNBdJE6iOzvBXZhhJrM0GUDJragw7SMVIs/5xJBGAyHKJ1YUMGO7+nJTmsCLx6PFOlQYveuriiVVCCZerGCLH+UtSXK3z+l7hx9NiDg3/ylOLc3f3SLxrJKn0gMTgK7BHJFXo4PguuPjWZLVdUDX+XKiqtT2n4IsYs6N9qVFG3zUgNlEjZM47NK/ytAC0max98pK+QNzsuaQOo/IShJ1TOw5wwScflPArVJ2AyROqAe7cfQg7q12I9olASFd3U5NazfZCTYAvWA1kz9UZEWLJ1Br1XOkPqOleMM8KCp/PXzz8H0kISkMIji0/QuiZOPEBsKlszXjlALcXR8Mg1uiZVWy48i9JheyXyj1ToCj6cPScpgFHp3DAGSlKKbE1EFaVfeeyGAnHESuXC9wkSeFZCEyMJ+RgJxMkBXNZmyycbwsSqAeGJpMEUDlwzu2GD0obBz0HXqg9J1Xallop5AVDKfeszZcc=
label: user2@domain2
type: ssh-rsa
value:
AAAAB3NzaC1yc2EAAAABIwAAAIEA0KJDLOiiXj9XdMxiCT9KvaKfuxFQi+CIiklaN5hHsNgYOu7TijqyONEu5fONLoAo/cshLa+KuargyTrtizwcP4TPcTXZhhJrM0GUDJragw7SMVIs/5xJBGAyHKJ1YUMGO7+nJTmsCLx6PFOlQYveuriiVVCCZerGCLH+UtSXK3z+l7hx9NiDg3/ylOLc3f3SLxrJKn0gMTgK7BHJFXo4PguuPjWZLVdUDX+XKiqtT2n4IsYs6N9qVFG3zUgNlEjZM47NK/ytAC0max98pK+QNzsuaQOo/IShJ1TOw5wwScflPArVJ2AyROqAe7cfQg7q12I9olASFd3U5NazfZCTYAvWA1kz9UZEWLJ1Br1XOkPqOleMM8KCp/PXzz8H0kISkMIji0/QuiZOPEBsKlszXjlALcXR8Mg1uiZVWy48i9JheyXyj1ToCj6cPScpgFHp3DAGSlKKbE1EFaVfeeyGAnHESlnDDg3Gq5xSsB9Okqm3V5t8GpFaJbV68BxQ4BK6HJ21A3CinV4LdV3hR/OBUbDG2EcI+ZKRDjlpJuu4YU=
Display the version of the NDR Sensor appliance.
Example
ndr-sensor> get version
NDR Sensor, Version 5.1.0.0.0.24953345
Technical Support: https://support.broadcom.com/
Copyright © 2025 Broadcom. All rights reserved. The term “Broadcom”
refers to Broadcom Inc. and/or its subsidiaries. All trademarks, trade names,
service marks, and logos referenced herein belong to their respective companies.
Display help information. See the example below.
Example
ndr-sensor> help
NDR Sensor CLI help is available via a variety of different ways:
1. From the command prompt, enter: help
This full help message is shown.
2. Tab completion
Tab completion is always available to either complete a valid
command word or complete a valid argument. If completion cannot
be performed, a message is shown to indicate the reason.
For example: ge<tab>
3. Pressing ?
At any time, pressing ? shows possible options for the command
entered. If no options are available, a helpful message is
shown to indicate the reason.
For example: get ?
4. From the command prompt, enter: list
View all supported commands and command parameters.
This command lists all available commands.
Get DNS lookup information.
| Option | Description |
|---|---|
| <hostname-or-ip-address> | A hostname or IP address |
Example
ndr-sensor> nslookup ssp-api.example.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: ssp-api.example.com
Address: 192.168.110.202
Ping a host or IP address. Use Control-C to stop the command. Optionally use the
repeat argument to specify how many packets to transmit.| Option | Description |
|---|---|
| <hostname-or-ip-address> | A hostname or IP address |
| <number> | Number argument Allowed pattern: ^[0-9]+$ |
Example
ndr-sensor> ping 10.192.43.71
PING 10.192.43.71 (10.192.43.71) 56(84) bytes of data.
64 bytes from 10.192.43.71: icmp_seq=1 ttl=58 time=1.66 ms
64 bytes from 10.192.43.71: icmp_seq=2 ttl=58 time=0.961 ms
64 bytes from 10.192.43.71: icmp_seq=3 ttl=58 time=0.962 ms
64 bytes from 10.192.43.71: icmp_seq=4 ttl=58 time=0.883 ms
64 bytes from 10.192.43.71: icmp_seq=5 ttl=58 time=1.15 ms
^C
--- 10.192.43.71 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 0.883/1.125/1.665/0.285 ms
Reboot the system. If you specify the
force argument, the system will reboot immediately without prompting for confirmation.Example
ndr-sensor> reboot
Are you sure you want to reboot (yes/no): yes
Broadcast message from root@ndr-sensor
(unknown) at 1:21 ...
The system is going down for reboot NOW!
Register sensor with Security Services Platform (SSP).
| Option | Description |
|---|---|
| <registration-manifest> | Registration token created from Security Services Platform (SSP) |
| <sensor-name-string-arg> | Sensor name (maximum 64 chars consisting of uppercase letters (A-Z),
lowercase letters (a-z), numbers (0-9), and special characters _:.-
Allowed pattern: ^([A-Za-z0-9_:.-]{1,64})$ |
Example
ndr-sensor> register sensor registration-manifest 5OVrrck+cm7/HuGqI790GZQe8DqDzk sensor-name Sensor-1
Sensor was registered successfully! Check CLI 'get sensor details' for more details.
Register sensor with SSP portal
Example
ndr-sensor> reset registration
Data on this sensor will be cleaned up. Please note that this process will NOT offboard the sensor from SSP. Are you sure you want to continue? (yes/no): yes
Sensor registration was reset! Check CLI 'get sensor details' for more detail
Restart the specified service.
| Option | Description |
|---|---|
| <service-name> | Node restartable service argument |
Example
ndr-sensor> restart service sniffing
Resume an upgrade after running the command
start upgrade-bundle <bundle-name> playbook <playbook-file> and the system was rebooted.| Option | Description |
|---|---|
| <bundle-name> | Name of NDR Sensor upgrade bundle in the file store |
Example
ndr-sensor> resume upgrade-bundle VMware-ndr-sensor-appliance-5.2.0.0.0.62665246 playbook
2025-02-05 14:27:38,737 - Resuming paused playbook /var/vmware/nsx/file-store/VMware-ndr-sensor-appliance-5.2.0.0.0.62665246-playbook.yml
2025-02-05 14:27:38,737 - Validating playbook /var/vmware/nsx/file-store/VMware-ndr-sensor-appliance-5.2.0.0.0.62665246-playbook.yml
2025-02-05 14:27:38,776 - Running "startup_sensor_services" (step 5 of 6)
2025-02-05 14:27:43,809 - Running "finish_upgrade" (step 6 of 6)
2025-02-05 14:27:43,846 - Playbook finished successfully
{
"state": 1,
"state_text": "CMD_SUCCESS",
"info": "",
"body": null
}
Sets the amount of time, in seconds, that an account will remain locked
out of the CLI after exceeding the maximum number of failed
authentication attempts. While the lockout period is in effect, additional
authentication attempts restart the lockout period, even if a valid
password is specified.
| Option | Description |
|---|---|
| <lockout-period> | Lockout period in seconds |
Example
ndr-sensor> set auth-policy cli lockout-period 900
Set the number of failed CLI authentication attempts that are
allowed before the account is locked. If set to 0, account
lockout is disabled.
| Option | Description |
|---|---|
| <auth-failures> | Number of authentication failures to trigger lockout |
Example
ndr-sensor> set auth-policy cli max-auth-failures 5
Set the minimum number of characters that passwords must have. The
smallest value that can be set is 8.
| Option | Description |
|---|---|
| <password-length> | Password length argument |
Example
ndr-sensor> set auth-policy minimum-password-length 12
Set the security banner or message of the day.
Example
ndr-sensor> set banner
Enter TEXT message. End with 'Ctrl-D'
Authorized access only
Update certificate for the given entity.
| Option | Description |
|---|---|
| <certificate-entity> | Entity for which the certificate will be updated. Allowed values: SSP-INGRESS, SSP-KAFKA |
| <x509-encoded-certificate-text> | X509 Encoded certificate argument Allowed pattern: ^(-{5}BEGIN CERTIFICATE-{5}(.+?)-{5}END CERTIFICATE-{5})+$ |
Example
ndr-sensor> set certificate SSP-Ingress "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----"
Certificate was updated successfully!
Set status to display datetime stamp in command output.
| Option | Description |
|---|---|
| <datetime-arg> | DateTime stamp status argument Allowed values: disable, enable |
Example
ndr-sensor> set cli-output datetime disable
Set inactivity timeout in seconds. To disable the timeout, specify 0.
| Option | Description |
|---|---|
| <timeout> | Number of seconds before timeout or 0 to disable timeout |
Example
ndr-sensor> set cli-timeout 0
Global limit for count to preserve latest core dump files generated for all processes or applications.
By default latest 2 core dump files will be preserved.
To disable this config, set value to 0.
Note, disabling config may consume higher disk space and can cause disk space exhaustion.
| Option | Description |
|---|---|
| <core-dump-limit> | Core dump numeric argument (0-4) |
Example
ndr-sensor> set core-dump global file-limit 3
Global limit for setting threshold in seconds for frequency of generated
core dump files for all processes or applications.
Any application generating core dump within threshold seconds will be
ignored and new core dump request will only be in effect after the threshold period has expired.
By default processes generating core dump within threshold frequency of 600 seconds will be denied.
To disable this config, set value to 0.
Note, disabling config may consume higher disk space and can cause disk space exhaustion.
| Option | Description |
|---|---|
| <core-dump-threshold-freq> | Threshold value in the range of 0 - 1200 seconds. |
Example
ndr-sensor> set core-dump global frequency-threshold 900
Limit for count to preserve latest core dump files generated per process or application.
To disable this config, set value to 0.
Note, disabling config may consume higher disk space and can cause disk space exhaustion.
| Option | Description |
|---|---|
| <process-name> | Core dump process name |
| <core-dump-limit> | Core dump numeric argument (0-4) |
Example
ndr-sensor> set core-dump process nginx file-limit 4
Set GRUB menu timeout.
| Option | Description |
|---|---|
| <grub-menu-timeout> | GRUB menu timeout in seconds |
Example
ndr-sensor> set grub menu timeout 4
Set GRUB user password.
| Option | Description |
|---|---|
| <grub-username> | Username of GRUB user |
| <grub-password> | Password for the GRUB user |
Example
ndr-sensor> set grub user root password Str0ng_Pwd!Wins$
or
ndr-sensor> set grub user root password
Enter password:
Confirm password:
Set command history size.
| Option | Description |
|---|---|
| <history-size> | Integer value for history size or 0 to display all commands |
Example
ndr-sensor> set history limit 100
Set the system hostname. Changing the hostname changes the command line prompt.
| Option | Description |
|---|---|
| <hostname> | System hostname argument |
Example
ndr-sensor> set hostname ndr-sensor-1
Configure the specified interface to use DHCP. IPv6 based functionality is not supported in this release.
| Option | Description |
|---|---|
| <interface-name> | Configurable network interface argument |
Example
ndr-sensor> set interface eth0 dhcp
Configure a static IP address and netmask. Make sure an appropriate network route is also configured. You can use the optional
gateway argument, or set a route using the set route command. IPv6 based functionality is not supported in this release.| Option | Description |
|---|---|
| <interface-name> | Configurable network interface argument |
| <prefix-ipv46> | CIDR notation argument for IPv4/IPv6 address |
| <gateway-ipv46> | Gateway IPv4/IPv6 address argument |
Example
ndr-sensor> set interface eth0 ip 192.168.110.110/24 gateway 192.168.110.1
Set a specific management interface in the system. Once set, this interface can be
used for managing the sensor. At least one management interface has to be set before
configuring sniffing-interfaces.
| Option | Description |
|---|---|
| <available-for-management-interface> | Network interfaces available for management interface configuration. |
Example
ndr-sensor> set management-interface eth0
The specified management interface was set successfully!
Set Sensor configuration through a single command, which includes setting of
sniffing and management interface, hostname, name-servers, ntp-server, timezone,
search-domains.
| Option | Description |
|---|---|
| <available-for-management-interface> | Network interfaces available for management interface configuration. |
| <available-for-sniffing-interface> | Network interfaces available for sniffing interface configuration. |
| <sniffing-mode> | Sniffing mode argument. Allowed values: NATIVE, COMPAT |
| <sniffing-mtu> | MTU for sniffing interface (NATIVE mode MTU range 2048-9000, COMPAT mode MTU range 1400-1500) |
| <sniffing-if-prefix-ipv46-or-skip> | CIDR notation argument for IPv4/IPv6 address or use "skip" to skip setting (Loopback, unspecified and broadcast addresses are not allowed for sniffing interface IPs) |
| <hostname-or-skip> | System hostname argument or use "skip" to skip setting |
| <ip-address-or-skip> | Network IP address argument or use "skip" to skip setting |
| <hostname-or-ip-address-or-skip> | A hostname or IP address or use "skip" to skip setting |
| <timezone-or-skip> | Timezone (e.g. UTC, America/New_York) or use "skip" to skip setting |
| <domain-or-skip> | Search domain argument or use "skip" to skip setting |
Example
ndr-sensor> set management-interface eth0 sniffing-interface eth1 mode NATIVE mtu 2048 sniffing-interface-ip 10.80.18.233 hostname new-hostname name-servers skip ntp-server skip timezone skip search-domains skip
Progress: [================================================================================] 100.0% Completed
Configuration complete
Overall status:
Setting of specified management interface eth0 successful.
Setting of specified sniffing interface eth1 with mode NATIVE and mtu 2048 successful.
You can monitor the bind status through the command 'get sniffing-interfaces'.
It may take up to a minute for binding to complete and sniffing service to start.
Check status using command 'get service sniffing'.
Setting of specified sniffing interface eth1 with ip 10.80.18.233 successful
Setting of specified hostname new-hostname successful.
Skipped setting nameserver.
You can set the nameserver later using: [set name-servers ]
Skipped setting NTP server.
You can set the NTP server later using: [set ntp-server ]
Skipped setting timezone.
You can set the timezone later using: [set timezone ]
Skipped setting search domain.
You can set the search domain later using: [set search-domains ]
Add a name server to the DNS configuration.
| Option | Description |
|---|---|
| <ip-address> | Name server IP v4 or v6 address argument |
Example
ndr-sensor> set name-servers 192.168.110.10
Configure a new NTP server.
| Option | Description |
|---|---|
| <hostname-or-ip-address> | A hostname or IP address |
Example
ndr-sensor> set ntp-server 172.31.32.2
Configure password complexity requirements.
- Minimum password length: minimum number of characters expected in password; user can not set their password of length lesser than this parameter. Default: 12, Minimum: 8, Maximum: 128
- Maximum password length: maximum number of characters allowed in password; user can not set their password of length greater than this parameter. Default: 128, Minimum: 8, Maximum: 128
- Lower characters: number of lower case characters (a..z) expected in user password.
N < 0, to set minimum credit for having lower case character in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password.
N > 0, to set maximum credit for having lower case character in the new password, i.e. per occurrence of lower case character in password will attribute additional credit of +1 towards meeting the current minimum password length value up to N lower case characters.
N = 0, to disable the policy check.
Default: -1, Minimum: -128, Maximum: 128 - Upper characters: number of upper case characters (A..Z) expected in user password.
N < 0, to set minimum credit for having upper case character in the new password, i.e. this is the minimum number of upper case characters that must be met for a new password.
N > 0, to set maximum credit for having upper case characters in the new password, i.e. per occurrence of upper case character in password will attribute additional credit of +1 towards meeting the current minimum password length value up to N upper case characters.
N = 0, to disable the policy check.
Default: -1, Minimum: -128, Maximum: 128 - Numeric characters: number of digits (0..9) expected in user password.
N < 0, to set minimum credit for having digits in the new password, i.e. this is the minimum number of digits that must be met for a new password.
N > 0, to set maximum credit for having digits in the new password, i.e. per occurrence of digit in password will attribute additional credit of +1 towards meeting the current minimum password length value up to N digits.
N = 0, to disable the policy check.
Default: -1, Minimum: -128, Maximum: 128 - Special characters: number of special characters (!@#$&*..) expected in user password.
N < 0, to set minimum credit for having special characters in the new password, i.e. this is the minimum number of special characters that must be met for a new password.
N > 0, to set maximum credit for having special characters in the new password, i.e. per occurrence of special case character in password will attribute additional credit of +1 towards meeting the current minimum password length value up to N special case characters..
N = 0, to disable the policy check.
Default: -1, Minimum: -128, Maximum: 128 - Minimum unique characters: number of character changes in the new password that differentiate it from the old password. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128
- Allowed similar consecutive characters: reject passwords which contain more than N same consecutive characters. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128
- Allowed monotonic sequence: reject passwords which contain more than N monotonic character sequences. Monotonic sequences can be '12345' or 'fedcb'. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128
- Hash algorithm: sets hash/cryptographic algorithm type for new passwords. Default: sha512. Enum: [ sha512, sha256 ]
- Password remembrance: limit using a password that was used in past; users can not set the same password within the N generations. To disable the check, value should be set to 0. Default: 0, Minimum: 0
Note, passwords less than 8 characters are never allowed.
Example
ndr-sensor> set password-complexity
Add IPv4 or IPv6 network route. You can also just set a gateway by specifying a
prefix value of 0.0.0.0/0 for IPv4 and ::/0 for IPv6. Default value for the IPv6 route metric is 1024.| Option | Description |
|---|---|
| <prefix-ipv46> | CIDR notation argument for IPv4/IPv6 address |
| <ip-route-metric> | IP route metric argument Allowed pattern: ^[0-9]+$ |
| <gateway-ipv46> | Gateway IPv4/IPv6 address argument |
| <interface-name> | Configurable network interface argument |
Example
ndr-sensor> set route prefix 10.79.224.0/20 gateway 10.78.239.254
or
ndr-sensor> set route prefix fd01:0:106:10::/64 gateway fd01:0:106:10::253
or
ndr-sensor> set route prefix fd01:0:106:8::/64 gateway fe80::106:8:1 metric 256
Add a domain name to the DNS search list.
| Option | Description |
|---|---|
| <domain> | Search domain argument |
Example
ndr-sensor> set search-domains example.com
Set the log level of the Rapid service. This service is responsible for analyzing files for malware threats
| Option | Description |
|---|---|
| <level> | Sensor logging level argument. Allowed values: critical, error, warn, info, debug |
Example
ndr-sensor> set service rapid logging-level debug
Updated logging levels of components of rapid
Logging level for rapid set to debug level successfully!
Set the log level of the sensor-container-orchestration service. This service is the central logic that manages the lifecycle of all the other containerized application services, making sure the sensor is always running the right components based on its current configuration and status.
| Option | Description |
|---|---|
| <level> | Sensor logging level argument. Allowed values: critical, error, warn, info, debug |
Example
ndr-sensor> set service sensor-container-orchestration logging-level debug
Updated logging levels of components of sensor-container-orchestration
Logging level for sensor-container-orchestration set to debug level successfully!
Set the log level of the sensor-health service. This service detects the health of each of the core services.
| Option | Description |
|---|---|
| <level> | Sensor logging level argument. Allowed values: critical, error, warn, info, debug |
Example
ndr-sensor> set service sensor-health logging-level debug
Updated logging levels of components of sensor-health
Logging level for sensor-health set to debug level successfully!
Set the log level of the sensor-service service. Sensor client service is responsible for communicating with Security Services Platform (SSP) and managing configuration of the sensor.
| Option | Description |
|---|---|
| <level> | Sensor logging level argument. Allowed values: off, fatal, error, warn, info, debug, trace |
Example
ndr-sensor> set service sensor-service logging-level debug
Updated logging levels of components of sensor-service
Logging level for sensor-service set to debug level successfully!
Set the logging level for a specific component within sensor-uploading service. This service is responsible for processing and sending all critical security events (like IDS alerts, malware analysis results, and network flows) to the Security Services Platform (SSP).
| Option | Description |
|---|---|
| <component> | Sensor uploading service logging component argument. |
| <level> | Sensor logging level argument. Allowed values: critical, error, warn, info, debug |
Example
ndr-sensor> set service sensor-uploading component sensor-uploading-alert logging-level debug
Updated logging levels of component of sensor-uploading
Logging level for sensor-uploading-alert set to debug level successfully!
Set the log level of the sensor-uploading service. This service is responsible for processing and sending all critical security events (like IDS alerts, malware analysis results, and network flows) to the Security Services Platform (SSP).
| Option | Description |
|---|---|
| <level> | Sensor logging level argument. Allowed values: critical, error, warn, info, debug |
Example
ndr-sensor> set service sensor-uploading logging-level debug
Updated logging levels of components of sensor-uploading
Logging level for sensor-uploading set to debug level successfully!
Set the log level of the sniffing service. Sniffing service is responsible for capturing network traffic.
| Option | Description |
|---|---|
| <level> | Sensor logging level argument. Allowed values: critical, error, warn, info, debug |
Example
ndr-sensor> set service sniffing logging-level debug
Updated logging levels of components of sniffing
Logging level for timon-daemon set to debug level successfully!
Logging level for timon-update set to debug level successfully!
Logging level for suricata-eve-stats set to debug level successfully!
Logging level for suricata-eve-alert set to debug level successfully!
Logging level for suricata-eve-flow set to debug level successfully!
Logging level for suricata-eve-pcap set to debug level successfully!
Set the logging level for a specific component within sniffing service. Sniffing service is responsible for capturing network traffic.
| Option | Description |
|---|---|
| <component> | sniffing service logging component argument. |
| <level> | Sensor logging level argument. Allowed values: critical, error, warn, info, debug |
Example
ndr-sensor> set service sniffing component timon-daemon logging-level debug
Updated logging levels of component of sniffing
Logging level for timon-daemon set to debug level successfully!
Configure the SSH service to start on boot.
Example
ndr-sensor> set service ssh start-on-boot
Set a specific sniffing interface in the system. Once set, the network traffic
from the sniffing interface will be captured to identify and alert on potential
security threats and malicious activity.
| Option | Description |
|---|---|
| <available-for-sniffing-interface> | Network interfaces available for sniffing interface configuration. |
| <sniffing-mode> | Sniffing mode argument. Allowed values: NATIVE, COMPAT |
| <sniffing-mtu> | MTU for sniffing interface (NATIVE mode MTU range 2048-9000, COMPAT mode MTU range 1400-1500) |
Example
ndr-sensor> set sniffing-interface eth0 mode NATIVE mtu 2048
Sniffing interface eth1 with PCI address 0000:0b:00.0 is requested to be set in mode SNIFF_NATIVE
Please monitor the bind status through cmd 'get sniffing-interfaces'
It may take up to a minute for binding to complete and
sniffing service to start, check cmd 'get service sniffing'
Set an IP address for an existing sniffing interface in the system. The IP address will enable the
sniffing interface to just respond to basic ARP requests for both modes - NATIVE and COMPAT. Setting
up of the IP address is required to do Encapsulated Remote Mirroring. IPv6 based functionality is not
supported in this release.
| Option | Description |
|---|---|
| <sniffing-interface> | Sniffing interface argument. |
| <sniffing-if-prefix-ipv46> | CIDR notation argument for IPv4/IPv6 address. (Loopback, unspecified and broadcast addresses are not allowed for sniffing interface IPs) |
Example
ndr-sensor> set sniffing-interface-ip eth0 ip 10.80.18.233/32
Sniffing interface ip set successfully!
IP address of the sniffing interface can be seen through cmd 'get sniffing-interfaces'
Enable SSH Root login property
Example
ndr-sensor> set ssh root-login
Set the system timezone.
| Option | Description |
|---|---|
| <timezone> | Timezone (e.g. UTC, America/New_York, Asia/Tokyo, Europe/Zurich) |
Example
ndr-sensor> set timezone America/Los_Angeles
Set number of days the user's password is valid after a password change.
| Option | Description |
|---|---|
| <username> | Username of user |
| <password-expiration-days> | Number of days password valid after change (1 - 9999) |
Example
ndr-sensor> set user audit password-expiration 120
Set number of days prior user receives warning message before password expires. Set 0 to disable warning messages for password expiry.
| Option | Description |
|---|---|
| <username> | Username of user |
| <password-expiration-warn-days> | Number of days password warn messages before change (1 - 9999) |
Example
ndr-sensor> set user audit password-expiration-warning 10
Set new user name for the specified non-root user.
| Option | Description |
|---|---|
| <username> | Username of user |
| <new-username> | Username of user |
Example
ndr-sensor> set user audit username audit-user1
Set the password for the specified user. If you do not specify
the password on the command line, you will be prompted for it.
For details on setting passwords during installation, see
the NDR Sensor documentation.
| Option | Description |
|---|---|
| <username> | Username of user |
| <password> | Password of user |
| <old-password> | Current password of user |
Example
ndr-sensor> set user admin password NewPass789! old-password Testing123$
or
ndr-sensor> set user admin password NewerPass789!
Current password:
or
ndr-sensor> set user admin password
Current password:
New password:
Confirm new password:
ndr-sensor>
Add SSH service key to authorized_keys file for specified user. If password is not provided in the command then you are prompted to enter it. Password is required only for users root and admin.
| Option | Description |
|---|---|
| <username> | Username of user |
| <key-label> | Unique label for SSH key |
| <key-type> | SSH key type Allowed values: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-dss, ssh-ed25519, ssh-rsa |
| <key-value> | SSH key value |
| <password> | Password of user |
Example
ndr-sensor> set user admin ssh-keys label user1@domain1 type ssh-rsa key AAAAB3NzaC1yc2EAAAABIwAAAIEAywWhrwq4FjHt+UuwZcZePxtjtZOENFpOjufycaYso2nTlzNwnAQEQRfbqsUxKVtOtGxgApIkUvjRIjNBdJE6iOzvBXZhhJrM0GUDJragw7SMVIs/5xJBGAyHKJ1YUMGO7+nJTmsCLx6PFOlQYveuriiVVCCZerGCLH+UtSXK3z+l7hx9NiDg3/ylOLc3f3SLxrJKn0gMTgK7BHJFXo4PguuPjWZLVdUDX+XKiqtT2n4IsYs6N9qVFG3zUgNlEjZM47NK/ytAC0max98pK+QNzsuaQOo/IShJ1TOw5wwScflPArVJ2AyROqAe7cfQg7q12I9olASFd3U5NazfZCTYAvWA1kz9UZEWLJ1Br1XOkPqOleMM8KCp/PXzz8H0kISkMIji0/QuiZOPEBsKlszXjlALcXR8Mg1uiZVWy48i9JheyXyj1ToCj6cPScpgFHp3DAGSlKKbE1EFaVfeeyGAnHESuXC9wkSeFZCEyMJ+RgJxMkBXNZmyycbwsSqAeGJpMEUDlwzu2GD0obBz0HXqg9J1Xallop5AVDKfeszZcc= password Pa$$w0rd
or
ndr-sensor> set user admin ssh-keys label user1@domain1 type ssh-rsa key AAAAB3NzaC1yc2EAAAABIwAAAIEAywWhrwq4FjHt+UuwZcZePxtjtZOENFpOjufycaYso2nTlzNwnAQEQRfbqsUxKVtOtGxgApIkUvjRIjNBdJE6iOzvBXZhhJrM0GUDJragw7SMVIs/5xJBGAyHKJ1YUMGO7+nJTmsCLx6PFOlQYveuriiVVCCZerGCLH+UtSXK3z+l7hx9NiDg3/ylOLc3f3SLxrJKn0gMTgK7BHJFXo4PguuPjWZLVdUDX+XKiqtT2n4IsYs6N9qVFG3zUgNlEjZM47NK/ytAC0max98pK+QNzsuaQOo/IShJ1TOw5wwScflPArVJ2AyROqAe7cfQg7q12I9olASFd3U5NazfZCTYAvWA1kz9UZEWLJ1Br1XOkPqOleMM8KCp/PXzz8H0kISkMIji0/QuiZOPEBsKlszXjlALcXR8Mg1uiZVWy48i9JheyXyj1ToCj6cPScpgFHp3DAGSlKKbE1EFaVfeeyGAnHESuXC9wkSeFZCEyMJ+RgJxMkBXNZmyycbwsSqAeGJpMEUDlwzu2GD0obBz0HXqg9J1Xallop5AVDKfeszZcc=
Password (required only for users root and admin):
Shut down the system. If you specify the
force argument, the system will shut down immediately without prompting for confirmation.Example
ndr-sensor> shutdown
Are you sure you want to shutdown (yes/no): yes
Broadcast message from root@ndr-sensor
(unknown) at 1:26 ...
The system is going down for halt NOW!
Start the specified service.
| Option | Description |
|---|---|
| <service-name> | Node startable and stoppable service argument |
Example
ndr-sensor> start service sniffing
Start an upgrade with the specified upgrade bundle and according to the specified playbook.
| Option | Description |
|---|---|
| <bundle-name> | Name of NDR Sensor upgrade bundle in the file store |
| <playbook-file> | Name of Playbook file to use |
Example
ndr-sensor> start upgrade-bundle VMware-ndr-sensor-appliance-5.2.0.0.0.62665246 playbook VMware-ndr-sensor-appliance-5.2.0.0.0.62665246-playbook
****************************************************************************
Node Upgrade has been started. Please do not make any changes, until
the upgrade operation is complete. Run "get upgrade progress-status"
to show the progress of last upgrade step.
****************************************************************************
2025-02-05 14:22:17,838 - Validating playbook /var/vmware/nsx/file-store/VMware-ndr-sensor-appliance-5.2.0.0.0.62665246-playbook.yml
2025-02-05 14:22:17,883 - Running "shutdown_sensor_services" (step 1 of 6)
2025-02-05 14:22:52,951 - Running "install_os" (step 2 of 6)
2025-02-05 14:23:06,492 - Running "switch_os" (step 3 of 6)
2025-02-05 14:23:18,510 -
System will now reboot (step 4 of 6)
After the system reboots, use "resume" to start the next step, "startup_sensor_services".
{
"state": 1,
"state_text": "CMD_SUCCESS",
"info": "",
"body": null
}
ndr-sensor>
Broadcast message from root@ndr-sensor (Sun 2025-02-05 14:23:23 UTC):
The system is going down for reboot at Sun 2025-02-05 14:24:23 UTC!
Stop the specified service.
| Option | Description |
|---|---|
| <service-name> | Node startable and stoppable service argument |
Example
ndr-sensor> stop service sniffing
Trace the route to the specified IPv4 address or host.
| Option | Description |
|---|---|
| <hostname-or-ip-address> | A hostname or IP address |
Example
ndr-sensor> traceroute 10.192.43.71
traceroute to 10.192.43.71 (10.192.43.71), 30 hops max, 60 byte packets
1 10.160.127.251 (10.160.127.251) 0.824 ms 2.589 ms 1.529 ms
2 10.250.228.1 (10.250.228.1) 2.570 ms 10.250.228.9 (10.250.228.9) 1.992 ms 1.116 ms
3 10.250.22.25 (10.250.22.25) 1.647 ms 10.250.22.85 (10.250.22.85) 2.487 ms 10.250.22.25 (10.250.22.25) 1.529 ms
4 10.250.22.186 (10.250.22.186) 2.464 ms 1.903 ms 2.425 ms
5 10.250.23.26 (10.250.23.26) 1.553 ms 1.676 ms 2.504 ms
6 10.250.232.34 (10.250.232.34) 2.355 ms 10.250.232.42 (10.250.232.42) 1.229 ms 10.250.232.38 (10.250.232.38) 1.379 ms
7 10.192.43.71 (10.192.43.71) 1.398 ms 1.689 ms 1.619 ms
Verify and extract the specified upgrade bundle to the default location.
| Option | Description |
|---|---|
| <bundle-name> | Name of NDR Sensor upgrade bundle in the file store |
Example
ndr-sensor> verify upgrade-bundle VMware-ndr-sensor-appliance-5.2.0.0.0.62665246
Checking upgrade bundle /var/vmware/nsx/file-store/VMware-ndr-sensor-appliance-5.2.0.0.0.62665246.nub contents
Verifying bundle VMware-ndr-sensor-appliance-5.2.0.0.0.62665246.bundle with signature VMware-ndr-sensor-appliance-5.2.0.0.0.62665246.bundle.sig
Moving bundle to /image/VMware-ndr-sensor-appliance-5.2.0.0.0.62665246.bundle
Extracting bundle payload
Successfully verified upgrade bundle
Bundle manifest:
appliance_type: 'ndr-sensor-appliance'
version: '5.2.0.0.0.62665246'
os_image_path: 'files/nsx-root.squashfs'
os_image_md5_path: 'files/nsx-root.squashfs.md5'
vmdk_sha256sum: '0dfc31297767f9f069900725b9573c8c9fa2b3b71790e7844044c48cb97a4a60'
Current upgrade info:
{
"state": 1,
"state_text": "CMD_SUCCESS",
"info": "",
"body": {
"meta": {
"to_version": "5.2.0.0.0.62665246",
"from_version": "5.1.0.0.0.62664213",
"bundle_path": "/image/VMware-ndr-sensor-appliance-5.2.0.0.0.62665246",
"old_os_fs_uuid": "0a10b6f6-06c6-44dc-9edd-d344cf706edc",
"new_os_fs_uuid": "32a74a05-75b4-4b0a-b5ed-443a1308ddb8",
"old_config_dev": "/dev/mapper/nsx-config",
"new_config_dev": "/dev/mapper/nsx-config__bak"
},
"history": []
}
}