Network traffic sniffer and monitoring - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Network traffic sniffer and monitoring

  1. #11
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    The questions wasn't "newbie" of you. I'd say it was a good one.

    If you run a router that's a boxed off the shelf product it's not going to be a simple matter of watching traffic. Ron has that info already so I'll go into a different situation where this is a little easier to do:

    You have X number of machines running Windows on a network, and a BSD or Linux box that you use FOR the router; This set up is a little easier. You take a really old machine you use as a door stopper or something, like a 386 or 486, pop Slackware or BSD on that, add a bunch of network cards, a few of the things that the installer for both OSs listed asks if you'd like them, and then you use that machine as your router, and you can log into it over SSH, or Telnet if you're feeling frisky, and start up one of these apps, and watch the traffic.

    One of the things that some people probably appreciate about these OSs is they don't require a brand new processor to run. You can still use a 386 machine to run a basic non GUI OS to test things on.

    And considering how slow the stuff is it's probably much cooler running than most processors you'll find now anyway.

    During the Slackware installation, towards the end where it asks what services you want set up, it has the option to run the machine as a router to do this. Slackware needs a 486 though, but really, how much difference is that? 10 dollars? Compared to 80 - 100 for an off the shelf router, it's still a nice deal considering you can probably find a 486 for under 30 dollars, and you don't need a monitor for something like this, you could log in over SSH to do all the work on it.

    I've managed to work on a machine "headless" because the power went out once, and because I couldn't turn the monitor on (It takes a lot of juice and the UPS I had was a home version that only gives you a few minutes to get it shut down) I didn't have the monitor turned on, and knew that the night before when I went to bed, I had left the machine with KDE running.

    I did this:

    ALT+CTRL+F5 (I knew I didn't have a log in on that one) and then did this:

    root [Enter}
    Password [Enter}
    halt[Enter]
    And shut down.

    In theory you could do this on a machine acting as a router for different things, like updates.

    Or keep an old monitor around hooked up in case you need to use the system console VS SSH, like upgrading a Kernel, or messing with packet filtering where you can lock yourself out of the box by accident.
    Kill the lights, let the candles burn behind the pumpkinsí mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  2. #12
    Shrekkie Reloaded Raiden's Avatar
    Join Date
    Oct 2005
    Posts
    1,115
    Sniffing with a prog like wireshark, tcpdump, snoop can give huge files to dig in too, not to talk about the space you'd need. I would recommend not going in tcp-flag level debugging unless you are troubleshooting.

    What you can do is simply use a firewall. Most nix-base firewalls have nice logging, aside of a proxy and snort IDS, and they log the time sessions have been open, etc, etc ... What more do you need ?

    I'd recommend Smoothwall or Astaro from personal experience.

    Greetz.

  3. #13
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901

    Talking

    The green ogre above beat me to it

    Indeed a packet sniffer would be too much for what you are seeking. I use smoothwall now and i have added some nice modules to it. It has a nice GUI layout where you can monitor everything you need. It is really advisable to use this. Although.. it would need a dedicated machine with 2 network cards (or more if you need DMZ) and you can neatly and easily setup rules aswell as monitor everything that you want.

    Btw.. smoothwall primarily a firewall. But you can add all sorts of traffic logging and traffic information using modules such as proxis, content filtering and a few other neat features. Check out their forums for more info.

    http://community.smoothwall.org/forum/
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  4. #14
    Member bradlesliect's Avatar
    Join Date
    Apr 2006
    Location
    CT - SA
    Posts
    74
    Hi!

    I have heard of this thing called smoothwall and would like to take a look and use the "try before you buy" scheme ...but...I have a user/users who is abusing the internet right now as we speak. I need to catch the person(s) in the act and nail them. I want to impliment an AUP for internet and network use and this information would be ideal for case study.

    The current network is configured as ALL windows workstations and the router is the gateway. We are not using DHCP and the router firewall is enabled. The router is also making use of NAT.

    I really, really, REALLY need to find something that is windows friendly, quick and easy to use, creates reports and provides enough info to nail the sucker!

    I have a fair suspicion of who it is ...just need the proof!
    .....I rather not say....

  5. #15
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Use wireshark/ethereal. It's friendly, quick and easy. Once you have identified the troublesome IP or MAC addresses you can add a filter to the trap. This will greatly reduce the amount that gets logged. The tool not only traps the data, it allows you to view it in an easy to read format. Try it. the sooner you get started, the sooner you nail 'em. If you run into issues come back here. Good luck.

    csr
    In God We Trust....Everything else we backup.

  6. #16
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Quote Originally Posted by bradlesliect View Post
    Hi!

    /I have heard of this thing called smoothwall and would like to take a look and use the "try before you buy" scheme/
    /
    /I really, really, REALLY need to find something that is windows friendly, quick and easy to use, creates reports and provides enough info to nail the sucker!/
    Did you even bother to look at smoothwall's site?
    Last edited by instronics; January 28th, 2009 at 01:08 PM.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  7. #17
    Junior Member
    Join Date
    Nov 2008
    Posts
    9
    hey bradlesliect,

    i'm just curious; what did you mean by "abusing the internet". what are the users doing?


    Regards,

    - threads

  8. #18
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Brad,

    I really, really, REALLY need to find something that is windows friendly, quick and easy to use, creates reports and provides enough info to nail the sucker!
    Have you considered installing a keylogger on that particular machine? To be perfectly honest I hate keyloggers, but that is because they steal resources unnecessarily and create a hell of a lot of data to analyse.

    There are more friendly ones that would be OK once you have identified specific targets. Should handle the reporting bit OK.

    You are going to have to pay for this software............. I would destroy you in court if you are using "free" stuff.

    Maybe a Musgrave would be an alternative?.....I personally prefer it in .308 Win
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #19
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    The solution really depends on the environment. If you legally have the right to a keylogger like Nihil suggest actually may be the easiest and best way. If you do not want to install a keylogger for what ever reason then a combination of ARP poisoning and sniffing on the network should do the trick as Threads has mentioned. That is assuming of course the switch does not have security measures against that type of attack and if it does then they can be turned off.

    And BTW Cain and Abel is a really easy program to do ARP poisioning with just run that along side something like wireshark.

Similar Threads

  1. Trojans - Ports
    By GbinaryR in forum AntiVirus Discussions
    Replies: 11
    Last Post: October 30th, 2008, 09:33 AM
  2. Introduction to Packet Sniffing
    By tonybradley in forum The Security Tutorials Forum
    Replies: 2
    Last Post: May 17th, 2005, 01:11 AM
  3. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 02:03 AM
  4. A look into IDS/Snort part 1 of 3
    By qod in forum The Security Tutorials Forum
    Replies: 18
    Last Post: January 5th, 2004, 01:30 PM
  5. Network Traffic Monitoring
    By TheDirector in forum Computer Forensics
    Replies: 10
    Last Post: June 1st, 2003, 01:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides