LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 01-22-2008, 10:39 AM   #1
vortmax
Member
 
Registered: Nov 2005
Posts: 91

Rep: Reputation: 17
packet logging


I need to set up a machine that will log all packets traversing a gateway. The gateway is a Cisco router, and I'm mirroring a port over, so getting the packets to the machine isn't the issue. It's the processing and handling that I need advice with.

There are two things I want to do with this set up. The first is to create daily (possibly hourly) pcap style binary files that will rotate on a monthly basis. This is easy to accomplish with daemonlogger. I just tell it to make a new file after x time and to keep y files.

The second thing is to pass this info into an analysis program. I'm looking at using splunk, which will give a ton of power in terms of searching and reporting. The only problem is that I need to feed the data into splunk. I have made a configuration bundle that will ingest the output of snort by directing it into a named pipe. One difficulty is that I wish to log the entire packet, but not really the hex part. So far snort is the only thing I've found that will log text of the packet contents and ignore the hex.

I can use snort to read the pcap files generated by daemonlogger, but the filenames change with every epoch and it needs some sort of buffering. If you start a file going and then have snort read it, snort will eventually hit the EOF and stop even though more stuff is being logged to it. I'd have to get it into a pipe so that snort didn't stop attempting to process it.

So any suggestions on how to get this into something that will be stable and work reliably? I've looked at things like ACID and BASE, but those are mostly for intrusion detection with snort. I'm not doing any filtering or processing....just logging every packet.
 
Old 01-23-2008, 09:54 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Quote:
Originally Posted by vortmax View Post
One difficulty is that I wish to log the entire packet, but not really the hex part. So far snort is the only thing I've found that will log text of the packet contents and ignore the hex. (..) I'm not doing any filtering or processing....just logging every packet.
No you're not. You want to log packets w/o processing yet you use Snort to extract human readable text from pcaps and still maintain you're "not doing any filtering or processing". How does that match? Maybe explain (reason, requirements, examples and such) what details exactly you're interested in wrt logging.
 
Old 01-24-2008, 07:43 AM   #3
vortmax
Member
 
Registered: Nov 2005
Posts: 91

Original Poster
Rep: Reputation: 17
sorry, by no processing I mean I'm not running an IDS. I'm not analyzing the packets for traffic patterns or intrusions. Just converting to text and logging.
 
Old 01-24-2008, 08:52 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Quote:
Originally Posted by vortmax View Post
Just converting to text and logging.
Check http://www.splunkbase.com/addons/Fie...ork_IDS_-_IPS/ ?
 
Old 01-24-2008, 10:40 AM   #5
vortmax
Member
 
Registered: Nov 2005
Posts: 91

Original Poster
Rep: Reputation: 17
i looked at those. Unfortunately those are for dealing with the alerts generated by the IDS, and not the packet flow.
 
Old 01-27-2008, 07:46 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
I asked you for details but you don't post any.
Simply means you're not helping us to help you.
So I'm sorry. I see nothing I can help you with here.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dmesg Invalid packet / INPUT packet died flood H_TeXMeX_H Slackware 5 11-12-2007 02:52 PM
A packet filter using libipq which uses ether type field to capture the packet can26_manish Programming 2 10-16-2007 05:35 AM
IP packet logging function help cranium2004 Linux - Networking 0 05-19-2005 07:20 AM
iptables packet logging netguy2000 Linux - Networking 2 12-24-2004 03:29 AM
Dropped packet logging jonr Linux - Networking 6 11-18-2004 07:25 AM


All times are GMT -5. The time now is 07:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration