[unisog] Remote sniffers- what do you use?

Michael Holstein michael.holstein at csuohio.edu
Thu Mar 9 14:23:42 GMT 2006


> Anyone have any recommendations for an open source sniffer (ideally cli and
> web interface, no weird platform or java dependencies)?  Catering to
> individuals' prejudices against/for user interfaces turns out to be a lot
> more difficult than the backend stuff.

Well, Ethereal will give you the CLI without weird dependencies (only 
thing you'd need is libpcap, and that comes standard with most linux 
distros.

As for a web interface, you could run it as a remote X session (assuming 
clients are UNIX or running cygwin. You could also setup VNC or some 
such and do it that way. You can run multiple instances of Ethereal with 
no problem, although on an extremely busy network, you'll start to have 
problems related to libpcap unless you have capture cards (eg: Endance 
DAG cards) that support bpf expressions in the hardware.

You can easily load just about every open-source network analysis tool 
(snort, argus, tcpdump, ethereal, ntop, etc) onto a 1-U FreeBSD box 
(FreeBSD beating Linux in most any networking benchmark -- Linux+pfRing 
included).

Those that have used NAI/NG's Sniffer remotes can attest that the web 
interface is FAR from "not having weird dependencies", and that if both 
web sessions gets stuck, you end up rebooting the sniffer appliance. 
That, and it's not exactly open-source (or cheap).

My $0.02

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list