Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have several Cisco switches(6500,2900 and etc.), some with NAM's and other without and am now starting to learn about SPAN and capturing data. My question is:
Lets say for example I have a client computer that is connected to a port on my 6500 core switch and I wanted to monitor his traffic with Cisco SPAN. Can I configure that port on the Cisco 6500 to forward SPAN traffic to a linux box capturing data via Wireshark and just set the nic to promiscious mode to see that data or can someone please break this down for me. thanks
absolutely, it's *really* easy to do. two lines on ios and you can say all traffic on this vlan, interface, portchannel etc... be copied to another port. real simple stuff. rspan makes things a little more complex on the cisco side, but if you have a decent amount of bandwidth to copy data around it, a single span port on your core can easily give you access to any packet in and out of any other connected distribution and edge switch as well as the core itself.
I am being ask to caputure GIGs of data and then have it analyzed and reported back in a nice format. Do you have any ideas on decent report features that can import different capture formats. I have been looking into Zenoss.org, pandora.sourceforge.net and things of the sort but these are complete network monitoring programs. What about using wireshark and a nice reporting program?
it really depends what you actually want to get out of it. would you just want to stick it into ntop? the 6500 supports netflow, so to get usage graphs of bandwidth and such you wouldn't even need a span port. in general sniffing gigs of traffic will never lead to any useful report, only for forensics and troubleshooting. I've been looking to build my own network caches, storing the last 10TB of network traffic or such for retrospective analysis of network traffic, rather than direct real time inspection, which is much tougher. zenoss kinda sucks btw... there's a hell of a lot of stuff you could report on at the ip level.
acid_kewpie, thanks for responding to so many of my post, your awesome. I am new to my position and it entails monitoring network performance. Basically monitor several neworks across the area using Cisco Products, my employer is looking for an open based solution to accomidate this. I am somewhat familiar with netflow and ect. Is there an open source solution that is easy to understand and is easy to implement?
in terms of open source netflow, ntop is the best, well largely the only, worthy solution. it has bugs and can suck at times, but is still under a lot of development, and worth pursuing. this can accept netflow, or alternatively hang directly of the span port and do the monitoring you're originally looking at. again though, "monitoring" means so so many things, it's not until you find a "monitor" solution which doesn't do a single thing you value that you really see that. ntop will analyze throughput data, it won't tell you if things are up or down, it won't tell you about performance, just what is going through a certain point. this piece of the puzzle is in itself, pretty much essential especially on a WAN interface, but as a wider picture you'll never get a single monitor platform which covers what you really want. i've come up against this at work and we're looking at a "monitoring" solution, which i am looking at using about 7 different high level products and manually integrating them... we have a netflow solution in fluke netflow analyzer, a tcp/ip traffic analysis tool in netqos, device montiroing in opManager, application monitoring in AppManager, loadbalancer monitoring in F5 LTM's and so it goes on...
If you want an open source alternative to Cisco's Netflow, then take a look at Argus If you want a bandwidth monitor then look at MRTG or Ourmon. Ourmon also has the capability of being a network statistical anomaly detection system and is great for detecting port scans from worms, botnets, or attackers. Here is a sample site of Ourmon. http://jerry.cat.pdx.edu/ourmon/
well it's still most important to define what you actually. maybe you should define some use cases to satisfy? looking at that list of links, thsoe products vary massively in remit, and i don't *think* any of them at all will be able to make us of a span port.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
