Network traffic sniffer and monitoring

[gore]

The questions wasn't "newbie" of you. I'd say it was a good one.

If you run a router that's a boxed off the shelf product it's not going to be a simple matter of watching traffic. Ron has that info already so I'll go into a different situation where this is a little easier to do:

You have X number of machines running Windows on a network, and a BSD or Linux box that you use FOR the router; This set up is a little easier. You take a really old machine you use as a door stopper or something, like a 386 or 486, pop Slackware or BSD on that, add a bunch of network cards, a few of the things that the installer for both OSs listed asks if you'd like them, and then you use that machine as your router, and you can log into it over SSH, or Telnet if you're feeling frisky, and start up one of these apps, and watch the traffic.

One of the things that some people probably appreciate about these OSs is they don't require a brand new processor to run. You can still use a 386 machine to run a basic non GUI OS to test things on.

And considering how slow the stuff is it's probably much cooler running than most processors you'll find now anyway.

During the Slackware installation, towards the end where it asks what services you want set up, it has the option to run the machine as a router to do this. Slackware needs a 486 though, but really, how much difference is that? 10 dollars? Compared to 80 - 100 for an off the shelf router, it's still a nice deal considering you can probably find a 486 for under 30 dollars, and you don't need a monitor for something like this, you could log in over SSH to do all the work on it.

I've managed to work on a machine "headless" because the power went out once, and because I couldn't turn the monitor on (It takes a lot of juice and the UPS I had was a home version that only gives you a few minutes to get it shut down) I didn't have the monitor turned on, and knew that the night before when I went to bed, I had left the machine with KDE running.

I did this:

ALT+CTRL+F5 (I knew I didn't have a log in on that one) and then did this:

root [Enter}
Password [Enter}
halt[Enter]
And shut down.

In theory you could do this on a machine acting as a router for different things, like updates.

Or keep an old monitor around hooked up in case you need to use the system console VS SSH, like upgrading a Kernel, or messing with packet filtering where you can lock yourself out of the box by accident.

[Raiden]

Sniffing with a prog like wireshark, tcpdump, snoop can give huge files to dig in too, not to talk about the space you'd need. I would recommend not going in tcp-flag level debugging unless you are troubleshooting.

What you can do is simply use a firewall. Most nix-base firewalls have nice logging, aside of a proxy and snort IDS, and they log the time sessions have been open, etc, etc ... What more do you need ?

I'd recommend Smoothwall or Astaro from personal experience.

Greetz.

[instronics]

The green ogre above beat me to it

Indeed a packet sniffer would be too much for what you are seeking. I use smoothwall now and i have added some nice modules to it. It has a nice GUI layout where you can monitor everything you need. It is really advisable to use this. Although.. it would need a dedicated machine with 2 network cards (or more if you need DMZ) and you can neatly and easily setup rules aswell as monitor everything that you want.

Btw.. smoothwall primarily a firewall. But you can add all sorts of traffic logging and traffic information using modules such as proxis, content filtering and a few other neat features. Check out their forums for more info.

http://community.smoothwall.org/forum/

[bradlesliect]

Hi!

I have heard of this thing called smoothwall and would like to take a look and use the "try before you buy" scheme ...but...I have a user/users who is abusing the internet right now as we speak. I need to catch the person(s) in the act and nail them. I want to impliment an AUP for internet and network use and this information would be ideal for case study.

The current network is configured as ALL windows workstations and the router is the gateway. We are not using DHCP and the router firewall is enabled. The router is also making use of NAT.

I really, really, REALLY need to find something that is windows friendly, quick and easy to use, creates reports and provides enough info to nail the sucker!

I have a fair suspicion of who it is ...just need the proof!

[Cheap Scotch Ron]

Use wireshark/ethereal. It's friendly, quick and easy. Once you have identified the troublesome IP or MAC addresses you can add a filter to the trap. This will greatly reduce the amount that gets logged. The tool not only traps the data, it allows you to view it in an easy to read format. Try it. the sooner you get started, the sooner you nail 'em. If you run into issues come back here. Good luck.

csr

[instronics]

Hi!

/I have heard of this thing called smoothwall and would like to take a look and use the "try before you buy" scheme/
/
/I really, really, REALLY need to find something that is windows friendly, quick and easy to use, creates reports and provides enough info to nail the sucker!/

Did you even bother to look at smoothwall's site?

[Threads]

hey bradlesliect,

i'm just curious; what did you mean by "abusing the internet". what are the users doing?


Regards,

- threads

[nihil]

Brad,

I really, really, REALLY need to find something that is windows friendly, quick and easy to use, creates reports and provides enough info to nail the sucker!

Have you considered installing a keylogger on that particular machine? To be perfectly honest I hate keyloggers, but that is because they steal resources unnecessarily and create a hell of a lot of data to analyse.

There are more friendly ones that would be OK once you have identified specific targets. Should handle the reporting bit OK.

You are going to have to pay for this software............. I would destroy you in court if you are using "free" stuff.

Maybe a Musgrave would be an alternative?.....I personally prefer it in .308 Win

[oofki]

The solution really depends on the environment. If you legally have the right to a keylogger like Nihil suggest actually may be the easiest and best way. If you do not want to install a keylogger for what ever reason then a combination of ARP poisoning and sniffing on the network should do the trick as Threads has mentioned. That is assuming of course the switch does not have security measures against that type of attack and if it does then they can be turned off.

And BTW Cain and Abel is a really easy program to do ARP poisioning with just run that along side something like wireshark.