Home / server / Questions / 398146
In Process
Kirk Ouimet
Asked: 2012-06-13 20:46:48 +0800 CST

Run All Traffic Through a WireShark Box?

  • 772

I'd like to build a box that I configure as default gateway for client computers that:

  1. Captures all of their traffic
  2. Allows me to easily review all of their traffic

Anyone have some ideas on the best operating system and programs to use? WireShark was the first to come to mind.

routing networking security

2 Answers

  1. This is one of those situations where you're going to have to provide some additional detail before we can really give you a very good answer. Among the questions you need to figure out:

    • What is your available budget for this?
    • What is your capture retention requirement?
    • What is the traffic rate that you are capturing?
    • How much risk are you willing to accept from the monitoring point?
    • What are your actual requirements?
      • Do you need full packet data?
      • Is a higher level view of source-destination traffic flows good enough?

    Among the many options available to you, here's a couple:

    • Use NetFlow or SFlow to get traffic flow data from your routers/switches/firewalls
      • This will probably be good enough, and be easier/cheaper than a dedicated traffic sniffing setup
      • A possible alternative that is similar is ntop
    • Put an inline network tap on your network, duplicating all traffic to a monitoring system (Sniffer)
      • Sniffer can be a simple linux box doing packet capture (low-end, cost and functionality); Or a dedicated Network Sniffer appliance (high-end, cost and functionality)
      • Cost will depend on functionality/analysis requirements, retention requirements, and the throughput you're monitoring
    • Use port mirroring (SPAN in Cisco-speak) to duplicate traffic to a monitor point, which you can then view from your sniffer system
    • Put a Linux box inline as a router/bridge and monitor or capture the traffic there
      • This makes the Linux box a single point of failure for your network, and could introduce other issues if you don't know what you're doing
    • Be aware that capturing all traffic (full packets) can lead to some legal and political issues if you are capturing voice traffic, sensitive data (credit cards data, health/private information), etc.

    To address one specific point in your question, Wireshark is a great program for analyzing packet captures, or interactive packet capturing, but for continual capture, I'd probably look towards something like dumpcap. If I'm running it in a continuous manner, I find it most effective to run it from cron for a specific duration. On a low throughput capture, I might do hourly captures (3600 seconds) run every hour. For a higher throughput capture, I might do every 10 minutes or even 5 or 2 minutes. If you're going to be storing for a long time, you may want to break up the captures under "yyyy/mm/dd" directories or something like that.

    • 3

  2. Ignoring the fact that the very idea offends my sensibilities, do you actually have the time to go through all that data, even after applying filters?

    While it's trivial to do what you are asking (run the network sniffer/monitor on the actual gateway device) I seriously doubt it's the best approach. It might be better to use something like snort with custom rules, which can watch for specified traffic and alert you when it happens.

    • 0