LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-21-2004, 09:34 AM   #1
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Placement of network sniffer in network


I'm thinking of putting a network sniffer on my home network and I'm wondering where to put it and how to get it to listen to all the traffic.

I believe that it should ideally be able to listen to the line going from the external firewall to the rest of the network.

The question is, how do I get it to be able to listen to all the traffic? If I had a more expensive switch, I guess I could set a port to be able to listen to all the traffic, but I haven't. I was thinking of using a little hub, but I can't find hubs that easily these days - everything is switched.

There's probably an obvious option that I'm missing, but what is it?
 
Old 06-21-2004, 12:48 PM   #2
linuxmarc
Member
 
Registered: Jun 2004
Posts: 44

Rep: Reputation: 15
You're actually on the right path... you'll need to pick up traffic going to your firewall, or out of it. If you use a software-based firewall you can put the packet monitor directly on this machine.

Lately, I've actually come across hubs that act like switches (each port is independent) but are not configurable, so be careful when selecting one.

Otherwise, your switch will need to support port-mirroring so you can copy all traffic to the port where your sniffer is housed.

For wireless networks, you wireless driver must support RF monitoring, which renders the card useless for all other purposes. In this mode, however, you'll pick up all wireless chatter on the network regardless of whether it's on your network or not.
 
Old 06-21-2004, 03:09 PM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well you can still find hubs if you know where to look. Some retail stores are blowing them out for cheap, and you could always find them on eBay.

Another option would be to create a network tap by doing a custom cable.

Also, which traffic do you need to monitor? If you need to monitor all Internet traffic (including attacks that are blocked), then you want it outside the firewall between the firewall and the router. If you only need to examine the traffic going through the firewall, you could put it behind the firewall between the firewall and the switch (using bridged interfaces on the IDS box). First you need to decide what exactly you need to monitor, then you can work on how to place the sensor.
 
Old 06-23-2004, 05:28 PM   #4
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Rep: Reputation: 16
You can put two NICs in a Linux Box, then use the bridge modules and utilities (bridge.sourceforge.net) to set up a two port Ethernet bridge, which is essentially a two port switch. You then can plug the firewall into one port on the bridge, then plug the other port into your switch, and then a sniffer or Snort can watch all traffic going through the bridge.
 
Old 06-23-2004, 08:04 PM   #5
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 55
You might use ettercap - a sniffer designed for switched LAN's. But with its intrusive nature you must RTFM before deploying it - it is very easy to render your LAN unoperational by telling everyone you are the owner of all the MAC addreseses in your network space, which is the nature of the ettrcap - arp poison switche(s) on your LAN to the extent they become transparent bridges and stop switching (the switch will function as a bridge at this point broadcasting the traffic among all the hosts connected to it - that's how you sniff the traffic not destined to you - everything is broadcast at this point).
Regards,
Boris.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora C2 - Wireless network drivers? Broadcom 802.11g Network Adapter FragTek Linux - Wireless Networking 7 01-22-2010 01:10 AM
3c905C network card in docking station. Cannot activate network device eth0. pathelms Linux - Networking 4 04-12-2006 03:55 PM
which linux sniffer can I use on the switched network ? cccc Linux - Networking 2 07-24-2004 07:30 PM
Wireless network sniffer software for linux? Bagleemo Linux - Wireless Networking 1 01-10-2004 01:00 PM
Newbie wanna setup up a linux network on existing home network... marvc Linux - Networking 3 03-19-2003 10:02 PM


All times are GMT -5. The time now is 03:46 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration