Q: How do I run tcpdump on the IDS boxes?

A:

All the Sourcefire IDS boxes include tcpdump; you can log in as root and use it. The one strange thing is the names of the interfaces. Interface names such as eth2 cannot be used. eth2 must be called fp2, so your tcpdump interface parameter would be -i fp2. For other interfaces, change the number to suit.