[unisog] Remote sniffers- what do you use?
grinnell at american.edu
Wed Mar 8 23:12:05 GMT 2006
It all depends on what you're looking for it to do. If you're
limited on disk space and/or processing power, it may make more sense
to use something like tcpdump at various chokepoints to capture
traffic only when you need it. Alternatively, if you're looking for
something that will grab part (or all) of each packet that traverses
your network (or each suspicious packet), you may want to google for
"snort packet capture" or look at what your current IPS, IDS, or
packet shaping product can do. I know the Tipping Point IPS products
support capturing packets when they trigger certain rules, and IIRC
the PacketShaper can do that as well. With regards to front ends,
ethereal is pretty good, particularly for it's stream reassembly
options, but it has had some buffer overflow vulnerabilities in the
past, so you want to ensure that you keep it up to date.
Alternatively, teaching staff how to read tcpdump packets is a sound
investment, as some problems that you run into will need a deeper
understanding of TCP/IP to resolve.
Also, if all you really want to know is who talked to whom at this
time, then Argus, flowtools, or IP Audit might be your answer...
Network Security Administrator
The American University
e-mail: grinnell at american.edu
On Mar 8, 2006, at 5:34 PM, John H. Sawyer wrote:
> Hi Sunia,
> If you are interested in going the cheaper, open source route, it
> can be
> as easy as deploying a number of Linux/BSD boxes with tcpdump on them.
> You could also use Snort for a little more power. Additionally, if you
> want a web interface with traffic analysis, check out ntop.
> Also, if you have a Cisco infrastructure, take a look at RSPAN that
> you configure SPAN ports across multiple switches so you can deploy
> sniffing hosts.
> John H. Sawyer - GCFA GCIH GCFW
> UF IT Security Engineer
> 352.392.2061 - infosec.ufl.edu
> sunia wrote:
>> Just wanted to say that this is a really helpful and friendly group.
>> Thanks for all the good ideas!
>> Right now, I'm trying to evaluate various sniffer tools. I've
>> taken a
>> look at NetScout's nGenius and Network General's Sniffer/
>> Both seem extremely top-heavy business oriented suites which require
>> lots of care and feeding. What I'd really like is just a super
>> way of seeing packets on every local network. My current thought
>> is to
>> just use some sort of opensource sniffer on a bunch of small hosts
>> sit off span ports at each major distribution point. I'd script the
>> spanning so it would be easy to get onto the right network.
>> Anyone have any recommendations for an open source sniffer
>> (ideally cli
>> and web interface, no weird platform or java dependencies)? Catering
>> to individuals' prejudices against/for user interfaces turns out
>> to be
>> a lot more difficult than the backend stuff.
>> What are you using?
>> Sunia Yang
>> Network Engineer
>> Stanford University
>> sunia.yang at stanford.edu
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog