Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product. Are there any open source projects that are decent? What are others using? ---------------- Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: jaustad@temgweb.com p: 952.591.3779
A little off topic, but nonetheless: Have a look at Ethereal, an open source network analyzer similar in many respects to Sniffer Pro. http://www.ethereal.com <plug shameless="yes"> For distributed sniffing / central analysis, you might want to try IDABench, ISTS's pluggable framework for network packet analysis. http://idabench.ists.dartmouth.edu. You can query large datasets with various analysis tools and it returns graphical, textual, or libpcap composite binary output that can be opened in, for instance, ethereal. </plug> On Wed, 3 Sep 2003 13:07:48 -0500 "Austad, Jay" <JAustad@temgweb.com> wrote:
Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product.
Are there any open source projects that are decent? What are others using?
---------------- Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: jaustad@temgweb.com p: 952.591.3779
-- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos@ists.dartmouth.edu 603.646.0665 -voice 603.646.0666 -fax
On Wed, 3 Sep 2003, Austad, Jay wrote:
Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product.
Are there any open source projects that are decent? What are others using?
we use bro and snort... http://www.snort.org/ http://www-nrg.ee.lbl.gov/bro-info.html
---------------- Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: jaustad@temgweb.com p: 952.591.3779
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
I took a different approach and run a Windows XP machine with multiple network cards to the segments that I regularly need to sniff. I use the remote desktop feature to access the box. It has one NIC for regular connectivity, and a couple others that are just used for sniffing. Others are using cheap linux boxes running ethereal in a similar fashion using VNC to access the box. Luke
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Austad, Jay Sent: Wednesday, September 03, 2003 11:08 AM To: 'nanog@merit.edu' Subject: Distributed sniffer products
Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product.
Are there any open source projects that are decent? What are others using?
---------------- Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: jaustad@temgweb.com p: 952.591.3779
OK... I'll leave the XP thing al0wned. As to the linux solution, why would you bother with VNC rather than just ssh. Pull the libpcap file back to a local desktop for analysis in ethereal. Owen --On Wednesday, September 3, 2003 11:26 AM -0700 Luke Starrett <lstarrett@nc.rr.com> wrote:
I took a different approach and run a Windows XP machine with multiple network cards to the segments that I regularly need to sniff. I use the remote desktop feature to access the box. It has one NIC for regular connectivity, and a couple others that are just used for sniffing. Others are using cheap linux boxes running ethereal in a similar fashion using VNC to access the box.
Luke
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Austad, Jay Sent: Wednesday, September 03, 2003 11:08 AM To: 'nanog@merit.edu' Subject: Distributed sniffer products
Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product.
Are there any open source projects that are decent? What are others using?
---------------- Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: jaustad@temgweb.com p: 952.591.3779
OK... I'll leave the XP thing al0wned.
Understood... It was a quick (and dirty) solution.
As to the linux solution, why would you bother with VNC rather than just ssh. Pull the libpcap file back to a local desktop for analysis in ethereal.
SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC). Luke
OK... I'll leave the XP thing al0wned.
Understood... It was a quick (and dirty) solution.
How was that any quicker than the same thing running on Linux? (hint: XP install time on P4/1.6Ghz/512MB -> ~2 hours RH8.0 install time on same machine -> ~30 minutes)
As to the linux solution, why would you bother with VNC rather than just ssh. Pull the libpcap file back to a local desktop for analysis in ethereal.
SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC).
That's what screen is for. :-)
Luke
Owen
XP took me about 35 to 40 minutes to install on a PIII-600Mhz from CD, with SP3 prepatched. I don't really want to start the OS war again as I don't like windows any more than the rest of you. My point was... There's more than one way to skin a cat (er sniffer) Luke
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Owen DeLong Sent: Wednesday, September 03, 2003 12:07 PM To: Luke Starrett; 'Austad, Jay'; nanog@merit.edu Subject: RE: Distributed sniffer products
OK... I'll leave the XP thing al0wned.
Understood... It was a quick (and dirty) solution.
How was that any quicker than the same thing running on Linux? (hint: XP install time on P4/1.6Ghz/512MB -> ~2 hours RH8.0 install time on same machine -> ~30 minutes)
As to the linux solution, why would you bother with VNC rather than just ssh. Pull the libpcap file back to a local desktop for analysis in ethereal.
SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC).
That's what screen is for. :-)
Luke
Owen
On Wed, Sep 03, 2003 at 12:05:06PM -0700, Luke Starrett said at one point in time:
SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC).
Luke
--On Wednesday, September 03, 2003 15:22:55 -0400 ravi pina <ravi@cow.org> wrote:
On Wed, Sep 03, 2003 at 12:05:06PM -0700, Luke Starrett said at one point in time:
SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC).
Luke
http://www.gnu.org/software/screen/
-r
Does anyone have a *GOOD* screenrc example config? I was VERY confused by the info file. (OT, I know, but...) LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
On Wed, 3 Sep 2003, Larry Rosenman wrote:
On Wed, Sep 03, 2003 at 12:05:06PM -0700, Luke Starrett said at one point in time:
SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC).
Luke http://www.gnu.org/software/screen/ Does anyone have a *GOOD* screenrc example config? I was VERY confused by
--On Wednesday, September 03, 2003 15:22:55 -0400 ravi pina <ravi@cow.org> wrote: the info file.
box:~>cat .screenrc # do not log in new windows deflogin off # Annoying bell ON vbell off # Bell message so it beeps bell_msg "Activity: %^G" # detach on hangup autodetach on # don't display the copyright page startup_message off defscrollback 10000 # remove some stupid / dangerous key bindings bind k bind ^k bind . bind ^\ bind \\ bind ^h bind h # Re-bind them better. bind '\\' quit bind 'K' kill bind 'I' login on bind 'O' login off bind '}' history -- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ------------------------------------------------------------------------------- http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
I haven't had any problems using it without a screenrc. screen -- Starts new session screen -r -- resumes old session (won't steal session if active) screen -r -d -- resumes old session and detaches it if necessary Beyond that, I use ^A-D (detach) and a few other ^A commands, all of which are pretty easily documented from ^A-?. FWIW, Owen --On Wednesday, September 3, 2003 2:39 PM -0500 Larry Rosenman <ler@lerctr.org> wrote:
--On Wednesday, September 03, 2003 15:22:55 -0400 ravi pina <ravi@cow.org> wrote:
On Wed, Sep 03, 2003 at 12:05:06PM -0700, Luke Starrett said at one point in time:
SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC).
Luke
http://www.gnu.org/software/screen/
-r
Does anyone have a *GOOD* screenrc example config? I was VERY confused by the info file.
(OT, I know, but...)
LER
-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
On Wed, 3 Sep 2003, Luke Starrett wrote:
OK... I'll leave the XP thing al0wned.
Understood... It was a quick (and dirty) solution.
As to the linux solution, why would you bother with VNC rather than just ssh. Pull the libpcap file back to a local desktop for analysis in ethereal.
SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC).
screen
Luke
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Etherial and other libpcap tools work reasonably well, can be easily deployed using commodity hardware, and would cost you a lot less than NetAssoc. Owen --On Wednesday, September 3, 2003 1:07 PM -0500 "Austad, Jay" <JAustad@temgweb.com> wrote:
Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product.
Are there any open source projects that are decent? What are others using?
---------------- Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: jaustad@temgweb.com p: 952.591.3779
Look at http://www.networkgenomics.net, this product does a sniffer type look at your network and provides conversation views, from both ends. Also traverses firewalls. Dwight -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Austad, Jay Sent: Wednesday, September 03, 2003 2:08 PM To: 'nanog@merit.edu' Subject: Distributed sniffer products Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product. Are there any open source projects that are decent? What are others using? ---------------- Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: jaustad@temgweb.com p: 952.591.3779
participants (10)
-
-
-
Austad, Jay
-
Dominic J. Eidson
-
Dwight Ringdahl
-
George Bakos
-
Joel Jaeggli
-
Larry Rosenman
-
Luke Starrett
-
Owen DeLong
-
ravi pina