Re: RES: [pfSense Support] Remote Traffic Monitoring

Fri, 08 Jun 2007 13:53:06 -0700

If you have the resources, as Gary mentioned, a switch with a monitor/span port is the most elegant solution. I mentioned using a hub since my endeavors are generally rather low budget. :-(
If you're looking to possibly do some IDS monitoring, check out http://www.ossim.net/ It is an open source information security management suite that has just about every feature a sys/net admin could want. 

Tim Nelson
Technical Consultant
Rockbochs Inc.


Anderson Carli wrote:

Hi Tim, Joel and Gary,


I don't think that resources will be a problem. My LAN port is connected at 100mbit and my WAN is 1 mbit, and my monitoring host has 1 TB RAID. 
So, resources it's not the problem.


I want to redirect all traffic to make troubleshooting, (mainly SMTP and VoIP), 
but full traffic log some auditing will be a plus.

This is why I'm using WireShark.

Thanks,

Anderson

-----Mensagem original-----

De: Gary Buckmaster [mailto:[EMAIL PROTECTED] 
Enviada em: quinta-feira, 7 de junho de 2007 17:28

Para: [email protected]
Assunto: Re: [pfSense Support] Remote Traffic Monitoring


Many managed switches also allow you to specify a monitor or span port.  
You may then capture any/all traffic running across your switch 
backplane on that port.  Idea for IDS applications or whatever it is 
you're wanting to do with all that traffic.  Keep in mind that it takes 
a lot of resources to capture and process traffic so ensure that the 
machine you designate for the task is appropriately beefy. 

  

Tim Nelson
Technical Consultant
Rockbochs Inc.


Anderson Carli wrote:

    

Hi all!


I´m trying to monitor the traffic of my pfSense box. What I want is 
to dump all WAN traffic to a host in my LAN.


Well, I achieve this using tcpdump, netcat and WireShark:

1. Capture all traffic with tcpdump and redirect to my host using netcat

   tcpdump -n -i fxp1 -w- | nc 192.168.0.1 4321 &

2. In the client host:
  nc -L -p 4321 > c:\fxp1.log


3. Now I can open the fxp1.log file with WireShark and see all the 
WAN traffic.




But I´m wondering if there is a better way to do the same thing 
without netcat (using rpcap for example)


Cheers

Anderson


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  
      



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to