Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I'm thinking of putting a network sniffer on my home network and I'm wondering where to put it and how to get it to listen to all the traffic.
I believe that it should ideally be able to listen to the line going from the external firewall to the rest of the network.
The question is, how do I get it to be able to listen to all the traffic? If I had a more expensive switch, I guess I could set a port to be able to listen to all the traffic, but I haven't. I was thinking of using a little hub, but I can't find hubs that easily these days - everything is switched.
There's probably an obvious option that I'm missing, but what is it?
You're actually on the right path... you'll need to pick up traffic going to your firewall, or out of it. If you use a software-based firewall you can put the packet monitor directly on this machine.
Lately, I've actually come across hubs that act like switches (each port is independent) but are not configurable, so be careful when selecting one.
Otherwise, your switch will need to support port-mirroring so you can copy all traffic to the port where your sniffer is housed.
For wireless networks, you wireless driver must support RF monitoring, which renders the card useless for all other purposes. In this mode, however, you'll pick up all wireless chatter on the network regardless of whether it's on your network or not.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Well you can still find hubs if you know where to look. Some retail stores are blowing them out for cheap, and you could always find them on eBay.
Another option would be to create a network tap by doing a custom cable.
Also, which traffic do you need to monitor? If you need to monitor all Internet traffic (including attacks that are blocked), then you want it outside the firewall between the firewall and the router. If you only need to examine the traffic going through the firewall, you could put it behind the firewall between the firewall and the switch (using bridged interfaces on the IDS box). First you need to decide what exactly you need to monitor, then you can work on how to place the sensor.
You can put two NICs in a Linux Box, then use the bridge modules and utilities (bridge.sourceforge.net) to set up a two port Ethernet bridge, which is essentially a two port switch. You then can plug the firewall into one port on the bridge, then plug the other port into your switch, and then a sniffer or Snort can watch all traffic going through the bridge.
You might use ettercap - a sniffer designed for switched LAN's. But with its intrusive nature you must RTFM before deploying it - it is very easy to render your LAN unoperational by telling everyone you are the owner of all the MAC addreseses in your network space, which is the nature of the ettrcap - arp poison switche(s) on your LAN to the extent they become transparent bridges and stop switching (the switch will function as a bridge at this point broadcasting the traffic among all the hosts connected to it - that's how you sniff the traffic not destined to you - everything is broadcast at this point).