[unisog] Remote sniffers- what do you use?

Michael Grinnell grinnell at american.edu
Wed Mar 8 23:12:05 GMT 2006


It all depends on what you're looking for it to do.  If you're  
limited on disk space and/or processing power, it may make more sense  
to use something like tcpdump at various chokepoints to capture  
traffic only when you need it.  Alternatively, if you're looking for  
something that will grab part (or all) of each packet that traverses  
your network (or each suspicious packet), you may want to google for  
"snort packet capture" or look at what your current IPS, IDS, or  
packet shaping product can do.  I know the Tipping Point IPS products  
support capturing packets when they trigger certain rules, and IIRC  
the PacketShaper can do that as well.  With regards to front ends,  
ethereal is pretty good, particularly for it's stream reassembly  
options, but it has had some buffer overflow vulnerabilities in the  
past, so you want to ensure that you keep it up to date.   
Alternatively, teaching staff how to read tcpdump packets is a sound  
investment, as some problems that you run into will need a deeper  
understanding of TCP/IP to resolve.

Also, if all you really want to know is who talked to whom at this  
time, then Argus, flowtools, or IP Audit might be your answer...

Michael Grinnell
Network Security Administrator
The American University
e-mail: grinnell at american.edu


On Mar 8, 2006, at 5:34 PM, John H. Sawyer wrote:

> Hi Sunia,
>
> If you are interested in going the cheaper, open source route, it  
> can be
> as easy as deploying a number of Linux/BSD boxes with tcpdump on them.
> You could also use Snort for a little more power. Additionally, if you
> want a web interface with traffic analysis, check out ntop.
> http://www.ntop.org/overview.html
>
> Also, if you have a Cisco infrastructure, take a look at RSPAN that  
> lets
> you configure SPAN ports across multiple switches so you can deploy  
> less
> sniffing hosts.
> http://www.cisco.com/univercd/cc/td/doc/product/lan/ 
> c3550/12113ea1/3550scg/swspan.htm
>
> -jhs
> -- 
> -------------------------------
> John H. Sawyer - GCFA GCIH GCFW
>     UF IT Security Engineer
> 352.392.2061 -  infosec.ufl.edu
> -------------------------------
>
> sunia wrote:
>> Just wanted to say that this is a really helpful and friendly group.
>> Thanks for all the good ideas!
>>
>> Right now, I'm trying to evaluate various sniffer tools.  I've  
>> taken a
>> look at NetScout's nGenius and Network General's Sniffer/ 
>> Infinistream.
>> Both seem extremely top-heavy business oriented suites which require
>> lots of care and feeding.  What I'd really like is just a super  
>> simple
>> way of seeing packets on every local network.  My current thought  
>> is to
>> just use some sort of opensource sniffer on a bunch of small hosts  
>> that
>> sit off span ports at each major distribution point.  I'd script the
>> spanning so it would be easy to get onto the right network.
>>
>> Anyone have any recommendations for an open source sniffer  
>> (ideally cli
>> and web interface, no weird platform or java dependencies)?  Catering
>> to individuals' prejudices against/for user interfaces turns out  
>> to be
>> a lot more difficult than the backend stuff.
>>
>> What are you using?
>>
>> Thanks!
>>
>> Sunia
>>
>>
>>
>> ----------------------------------------------
>> Sunia Yang
>> Network Engineer
>> Stanford University
>> sunia.yang at stanford.edu
>> (650)723-3543
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list