Re: [SLE] Looking for info on setting up a packet sniffer
From: Jostein Berntsen (jbernts_at_broadpark.no)
Date: 05/19/04
- Previous message: Malke Routh: "Re: [SLE] powersaved question"
- In reply to: Stuart Powell: "[SLE] Looking for info on setting up a packet sniffer"
- Next in thread: John Lalla: "Re: [SLE] Looking for info on setting up a packet sniffer"
- Reply: John Lalla: "Re: [SLE] Looking for info on setting up a packet sniffer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 19 May 2004 13:46:03 +0200 To: suse-linux-e@suse.com
On 18.05.04,17:25, Stuart Powell wrote:
> Hello, everyone.
>
> I have a SuSE 9.0 Pro machine set up with a pair of NICs that I need to
> use as a packet sniffer to help diagnose an issue with a Watchguard
> Firebox sitting on RoadRunner's residential cable network. Since
> RoadRunner only gives out one IP address at a time, based on MAC
> address, I want to have one NIC live on the inside of the firewall so I
> can access the machine as usual on the LAN, and the other should be on
> the outside of the firewall (via a hub) but be set up so as to not have
> an IP address. This is for two reasons:
>
> 1. As the second device behind the cable modem, it won't get an IP
> address.
> 2. So that it cannot be accessed from the Internet directly as it
> won't have an IP address to attack it on.
>
> Of course, the card also needs to be in promiscuous mode in order to
> accept ALL packets from the network segment.
>
> Does anyone have any links to sites or documents that would tell me how
> to set all this up ? I've Googled it but there's just too much dross to
> wade through. I've used Ethereal in the past but never on a
> non-addressable interface, so I don't even know if it will do it. I'm
> also open to suggestions on what other packet sniffing utilities might
> be worth using instead of Ethereal. I fairly sure it can be done, as
> the Oculan device does its IDS functions (which is packet capturing) on
> a non-addressable interface and that's a Linux based device.
>
> In case it matters to anyone, the Watchguard Firebox (Linux based
> device) works great for about 28hours, at which point traffic just stops
> flowing. We suspect a DHCP issue, but neither the Netmaster GG-Blade
> (also Linux based) nor the Sonicwall Tele3TZX have been affected by
> this problem. The Watchguard support guys asked me to put the sniffer
> out there to see if we can try and see what is happening right before
> the traffic stops flowing. A quick reboot of the Firebox brings it back
> to life for another 28hrs or so.
>
> References:
> http://www.watchguard.com/
> http://www.sonicwall.com/
> http://www.netmaster.com/
> http://www.ethereal.com/
> http://www.oculan.com/
>
> Thanks much,
> Stuart.
You might try to use Snort as a sniffer:
By setting it up with the right logging you should be able to find out
some clues about the Firebox.
http://www.snort.org/docs/snort_manual/node5.html
Ethereal should be able to work with these data.
- Jostein
-- Jostein Berntsen <jbernts@broadpark.no> -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: Malke Routh: "Re: [SLE] powersaved question"
- In reply to: Stuart Powell: "[SLE] Looking for info on setting up a packet sniffer"
- Next in thread: John Lalla: "Re: [SLE] Looking for info on setting up a packet sniffer"
- Reply: John Lalla: "Re: [SLE] Looking for info on setting up a packet sniffer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
