Re: [SLE] Looking for info on setting up a packet sniffer

• Previous message: dries: "[SLE] Snapshot of window bigger than screen ??"
• In reply to: Jostein Berntsen: "Re: [SLE] Looking for info on setting up a packet sniffer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 26 May 2004 03:14:07 -0700
To: suse-linux-e@suse.com

On Wed, May 19, 2004 at 01:46:03PM +0200, Jostein Berntsen wrote:
> On 18.05.04,17:25, Stuart Powell wrote:
> > Hello, everyone.
> >
> > I have a SuSE 9.0 Pro machine set up with a pair of NICs that I need to
> > use as a packet sniffer to help diagnose an issue with a Watchguard
> > Firebox sitting on RoadRunner's residential cable network. Since
> > RoadRunner only gives out one IP address at a time, based on MAC
> > address, I want to have one NIC live on the inside of the firewall so I
> > can access the machine as usual on the LAN, and the other should be on
> > the outside of the firewall (via a hub) but be set up so as to not have
> > an IP address. This is for two reasons:
> >
> > 1. As the second device behind the cable modem, it won't get an IP
> > address.
> > 2. So that it cannot be accessed from the Internet directly as it
> > won't have an IP address to attack it on.
> >
> > Of course, the card also needs to be in promiscuous mode in order to
> > accept ALL packets from the network segment.
> >
> > Does anyone have any links to sites or documents that would tell me how
> > to set all this up ? I've Googled it but there's just too much dross to
> > wade through. I've used Ethereal in the past but never on a
> > non-addressable interface, so I don't even know if it will do it. I'm
> > also open to suggestions on what other packet sniffing utilities might
> > be worth using instead of Ethereal. I fairly sure it can be done, as
> > the Oculan device does its IDS functions (which is packet capturing) on
> > a non-addressable interface and that's a Linux based device.
> >
> > In case it matters to anyone, the Watchguard Firebox (Linux based
> > device) works great for about 28hours, at which point traffic just stops
> > flowing. We suspect a DHCP issue, but neither the Netmaster GG-Blade
> > (also Linux based) nor the Sonicwall Tele3TZX have been affected by
> > this problem. The Watchguard support guys asked me to put the sniffer
> > out there to see if we can try and see what is happening right before
> > the traffic stops flowing. A quick reboot of the Firebox brings it back
> > to life for another 28hrs or so.
> >
> > References:
> > http://www.watchguard.com/
> > http://www.sonicwall.com/
> > http://www.netmaster.com/
> > http://www.ethereal.com/
> > http://www.oculan.com/
> >
> > Thanks much,
> > Stuart.
>
> You might try to use Snort as a sniffer:
>
> http://www.snort.org/
>
> By setting it up with the right logging you should be able to find out
> some clues about the Firebox.
>
> http://www.snort.org/docs/snort_manual/node5.html
>
> Ethereal should be able to work with these data.
>
> - Jostein
>
> --
> Jostein Berntsen <jbernts@broadpark.no>
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@suse.com
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@suse.com
>
I would have to concur with the above post. This said, however, your query is less SuSE specific than it is sys admin related in general. Therefor, I would recommend you head over to "full-disclosure" and post the same question.

The FD list is populated by some of the most experienced and knowledgeable admins in the world - no joke. Your bound to get some useful guidance from them. Unfortunately, there are many script kiddies who infiltrate the list, so I recommend you avoid ever opening an attachment or accepting a link from the list without paying attention first. These kids wish they were real hackers and have something to prove. If you're running *nix in some form, which you obviously are, you'll have nothing to fear.

http://lists.netsys.com/full-disclosure-charter.html

Regards,

-- 
John Lalla
Santa Barbara CA
	         .~.	 _
	         /v\    -o)
no gates...     /( )\   /\\     running GNU/Linux
  no windows!   ^^^^^  _\_v        free at last!
"Only those who attempt the absurd can achieve the impossible."
"Those who would trade liberty for security deserve neither."
					- Benjamin Franklin

• application/pgp-signature attachment: stored

• Previous message: dries: "[SLE] Snapshot of window bigger than screen ??"
• In reply to: Jostein Berntsen: "Re: [SLE] Looking for info on setting up a packet sniffer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]