[unisog] Remote sniffers- what do you use?

Huba Leidenfrost huba at uidaho.edu
Thu Mar 9 20:02:16 GMT 2006

Last time I checked, Wildpackets was quickly giving Network General (the
Cadillac of GUI network sniffers) a run for their money.  The commercial
solutions have more options than we've *ever* had occasion to use.  If I
didn't already have a commercial distributed sniffer setup, I think I would
be hard pressed to justify a system based on commercial tools.  And this is
coming from someone certified in using Sniffer Pro.  However you should
consider keeping at least one copy of a tool like Network General's Sniffer
Portable for those times when you need the expert analysis (artificial
intelligence rules).  This expert analysis has saved valuable time over the
years.  So I would suggest as others have suggested that you build your
distributed sniffing system with free tools but do try to have your
management purchase you one copy of a really good expert analysis tool to
keep around.

WildPackets has a free conversion tool called ProConvert that will take one
packet capture format and convert it to another format.  .dmp to .cap for
instance so you can pretty much capture with whatever you want and analyze
with whatever other tool you choose.

Good question Sunia.  I've enjoyed reading and learning from the other
feedback your question generated.  Laura Chappell's "Protocol Analysis
Institute" http://www.packet-level.com/ has some good links

One other thought.  If you don't want to constantly leave a capture going,
the command line tools (tcpdump etc.) in my experience have always beat the
commercial GUI tools in time to start capturing a specific type of traffic
(specific host/network range/src/dst/protocol/ip options).  When you really
need to find out what is going on is not the time to spend click happy in
some GUI trying to setup a specific capture filter.

Huba Leidenfrost
ITS Security Analyst
University of Idaho

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of sunia
> Sent: Wednesday, March 08, 2006 2:09 PM
> To: UNIversity Security Operations Group
> Subject: [unisog] Remote sniffers- what do you use?
> Just wanted to say that this is a really helpful and friendly group.  
> Thanks for all the good ideas!
> Right now, I'm trying to evaluate various sniffer tools.  
> I've taken a 
> look at NetScout's nGenius and Network General's 
> Sniffer/Infinistream.  
> Both seem extremely top-heavy business oriented suites which require 
> lots of care and feeding.  What I'd really like is just a 
> super simple 
> way of seeing packets on every local network.  My current 
> thought is to 
> just use some sort of opensource sniffer on a bunch of small 
> hosts that 
> sit off span ports at each major distribution point.  I'd script the 
> spanning so it would be easy to get onto the right network.
> Anyone have any recommendations for an open source sniffer 
> (ideally cli 
> and web interface, no weird platform or java dependencies)?  Catering 
> to individuals' prejudices against/for user interfaces turns 
> out to be 
> a lot more difficult than the backend stuff.
> What are you using?
> Thanks!
> Sunia
> ----------------------------------------------
> Sunia Yang
> Network Engineer
> Stanford University
> sunia.yang at stanford.edu
> (650)723-3543
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list