Anyone have any experience with these? I'm looking for something similar to
Network Associates Sniffer product.
Are there any open source projects that are decent? What are others using?
A little off topic, but nonetheless:
Have a look at Ethereal, an open source network analyzer similar in many
respects to Sniffer Pro. http://www.ethereal.com
<plug shameless="yes">
For distributed sniffing / central analysis, you might want to try
IDABench, ISTS's pluggable framework for network packet analysis.
http://idabench.ists.dartmouth.edu. You can query large datasets with
various analysis tools and it returns graphical, textual, or libpcap
composite binary output that can be opened in, for instance, ethereal.
</plug>
Anyone have any experience with these? I'm looking for something similar to
Network Associates Sniffer product.Are there any open source projects that are decent? What are others using?
we use bro and snort...
I took a different approach and run a Windows XP machine with multiple
network cards to the segments that I regularly need to sniff. I use the
remote desktop feature to access the box. It has one NIC for regular
connectivity, and a couple others that are just used for sniffing.
Others are using cheap linux boxes running ethereal in a similar fashion
using VNC to access the box.
Luke
Etherial and other libpcap tools work reasonably well, can be easily deployed
using commodity hardware, and would cost you a lot less than NetAssoc.
Owen
OK... I'll leave the XP thing al0wned.
As to the linux solution, why would you bother with VNC rather than just
ssh. Pull the libpcap file back to a local desktop for analysis in ethereal.
Owen
OK... I'll leave the XP thing al0wned.
Understood... It was a quick (and dirty) solution.
As to the linux solution, why would you bother with VNC
rather than just ssh. Pull the libpcap file back to a local
desktop for analysis in
ethereal.
SSH works, but it's sometimes nice to have a persistent session that I
can pick back up later (or from a different PC).
Luke
OK... I'll leave the XP thing al0wned.
Understood... It was a quick (and dirty) solution.
How was that any quicker than the same thing running on Linux?
(hint: XP install time on P4/1.6Ghz/512MB -> ~2 hours
RH8.0 install time on same machine -> ~30 minutes)
As to the linux solution, why would you bother with VNC
rather than just ssh. Pull the libpcap file back to a local
desktop for analysis in
ethereal.SSH works, but it's sometimes nice to have a persistent session that I
can pick back up later (or from a different PC).
That's what screen is for. 
Luke
Owen
On Wed, Sep 03, 2003 at 12:05:06PM -0700, Luke Starrett said at one point in time:
SSH works, but it's sometimes nice to have a persistent session that I
can pick back up later (or from a different PC).Luke
http://www.gnu.org/software/screen/
-r
> OK... I'll leave the XP thing al0wned.
Understood... It was a quick (and dirty) solution.
> As to the linux solution, why would you bother with VNC
> rather than just ssh. Pull the libpcap file back to a local
> desktop for analysis in
> ethereal.SSH works, but it's sometimes nice to have a persistent session that I
can pick back up later (or from a different PC).
screen
XP took me about 35 to 40 minutes to install on a PIII-600Mhz from CD,
with SP3 prepatched. I don't really want to start the OS war again as I
don't like windows any more than the rest of you. My point was...
There's more than one way to skin a cat (er sniffer)
Luke
Does anyone have a *GOOD* screenrc example config? I was VERY confused by
the info file.
(OT, I know, but...)
LER
box:~>cat .screenrc
# do not log in new windows
deflogin off
# Annoying bell ON
vbell off
# Bell message so it beeps
bell_msg "Activity: %^G"
# detach on hangup
autodetach on
# don't display the copyright page
startup_message off
defscrollback 10000
# remove some stupid / dangerous key bindings
bind k
bind ^k
bind .
bind ^\
bind \\
bind ^h
bind h
# Re-bind them better.
bind '\\' quit
bind 'K' kill
bind 'I' login on
bind 'O' login off
bind '}' history
I haven't had any problems using it without a screenrc.
screen -- Starts new session
screen -r -- resumes old session (won't steal session if active)
screen -r -d -- resumes old session and detaches it if necessary
Beyond that, I use ^A-D (detach) and a few other ^A commands, all of which
are pretty easily documented from ^A-?.
FWIW,
Owen
Look at http://www.networkgenomics.net, this product does a sniffer type
look at your network and provides conversation views, from both ends. Also
traverses firewalls.
Dwight