[unisog] Remote sniffers- what do you use?

Jim Noonan jim.noonan at sonoma.edu
Thu Mar 9 20:15:43 GMT 2006

Wildpackets also has a product called packetgrabber that can deployed on
remote devices that allows you to perform your captures. These can be bought
in multi-license deals and then reduces your need to have more the one or
two copies of their higher end products, like NX.

Jim Noonan
Network & Telecommunication Services
Sonoma State University
1801 East Cotati Ave.
Schulz 1004
Rohnert Park, CA 94928
Tel: 707-664-3980

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Huba Leidenfrost
Sent: Thursday, March 09, 2006 12:02 PM
To: 'UNIversity Security Operations Group'
Subject: Re: [unisog] Remote sniffers- what do you use?

Last time I checked, Wildpackets was quickly giving Network General (the
Cadillac of GUI network sniffers) a run for their money.  The commercial
solutions have more options than we've *ever* had occasion to use.  If I
didn't already have a commercial distributed sniffer setup, I think I would
be hard pressed to justify a system based on commercial tools.  And this is
coming from someone certified in using Sniffer Pro.  However you should
consider keeping at least one copy of a tool like Network General's Sniffer
Portable for those times when you need the expert analysis (artificial
intelligence rules).  This expert analysis has saved valuable time over the
years.  So I would suggest as others have suggested that you build your
distributed sniffing system with free tools but do try to have your
management purchase you one copy of a really good expert analysis tool to
keep around.

WildPackets has a free conversion tool called ProConvert that will take one
packet capture format and convert it to another format.  .dmp to .cap for
instance so you can pretty much capture with whatever you want and analyze
with whatever other tool you choose.

Good question Sunia.  I've enjoyed reading and learning from the other
feedback your question generated.  Laura Chappell's "Protocol Analysis
Institute" http://www.packet-level.com/ has some good links

One other thought.  If you don't want to constantly leave a capture going,
the command line tools (tcpdump etc.) in my experience have always beat the
commercial GUI tools in time to start capturing a specific type of traffic
(specific host/network range/src/dst/protocol/ip options).  When you really
need to find out what is going on is not the time to spend click happy in
some GUI trying to setup a specific capture filter.

Huba Leidenfrost
ITS Security Analyst
University of Idaho

> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of sunia
> Sent: Wednesday, March 08, 2006 2:09 PM
> To: UNIversity Security Operations Group
> Subject: [unisog] Remote sniffers- what do you use?
> Just wanted to say that this is a really helpful and friendly group.  
> Thanks for all the good ideas!
> Right now, I'm trying to evaluate various sniffer tools.  
> I've taken a
> look at NetScout's nGenius and Network General's Sniffer/Infinistream.
> Both seem extremely top-heavy business oriented suites which require 
> lots of care and feeding.  What I'd really like is just a super simple 
> way of seeing packets on every local network.  My current thought is 
> to just use some sort of opensource sniffer on a bunch of small hosts 
> that sit off span ports at each major distribution point.  I'd script 
> the spanning so it would be easy to get onto the right network.
> Anyone have any recommendations for an open source sniffer (ideally 
> cli and web interface, no weird platform or java dependencies)?  
> Catering to individuals' prejudices against/for user interfaces turns 
> out to be a lot more difficult than the backend stuff.
> What are you using?
> Thanks!
> Sunia
> ----------------------------------------------
> Sunia Yang
> Network Engineer
> Stanford University
> sunia.yang at stanford.edu
> (650)723-3543
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list