• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 145
  • Last Modified:

Looking for a nice sniffing app to add to my network

Folks,

I run a network with 300+ users across the country. All users roll their internet traffic through the corporate office. I'm looking for a utility to tell me in REAL-TIME who is doing what. I want to know if people are pumping enormous amounts of data across the lines, who they are, what type of data it is (MP3s, etc).

Any recommendation on what to use and where to place it and how to get it up and running?


Thanks.
Avi
0
Avi-Solomon
Asked:
Avi-Solomon
  • 3
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
Sort of... it's harder to tell what file extensions are being copied, such as mp3's or avi's etc... but you can easily track how much bandwidth they are using for certain protocols, such as SMTP, FTP, SSL, ICMP, SMB, or even Kazaa
Ntop is a great product for this. The new version may not be as updated for windows as it is for Linux- here are the two links:
Linux: http://www.ntop.org/overview.html
Win32 http://www.openxtra.co.uk/products/ntop-xtra.php (i've not used this one in awhile)

Using a product like Snort you can look at the contents of all the communication very easily- espically if you write your own rules, as the snort rules are cartered more to abuse or network intrusion (like exploits, or possible scanning behaviour etc...)
www.snort.org
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
Typically to sniff all that traffic, you will need to find the point or port rather, that they all connect through. When you have such a port, you span that port to another. Spanning, is like cc'ing everypacket to another interface, so that this sort of thing can happen. With cisco this is the command (the span must be on the same switch) for a catalyst 4000 series (same for 5000 or 6000 series)
set span 2/4 3/4
port 2/4 is the source, or the port that all the traffic is going out to the internet, and port 3/4 is the port that the snort or ntop box is sniffing on. You can do the same sort of thing with a hub, but I don't recommend it. If you have remote sites, and there is traffic that stays internal, then you may need to have multiple nic's, or multiple sniffing boxes.
We have most of our users connecting to us via a frame-relay network, that terminates to one router. That router only has one connection to our switch, and that's the port you span to another to sniff. VPN is the same, users connect to the vpn concentrator via the internet, then the concentrator has a single connection to our switch, that is another port that is spanned to our snot/ntop server. We have 6 nic's in the snort/ntop server, and each entry point (5 of them) has a spanned session to one of those nic's. The 6th nic is not spanned, it is just like any other nic, providing us a way to get on the box and administer it remotely.
-rich
0
 
Avi-SolomonAuthor Commented:
Well, I don't use a cisco switch - I use watchguard for my VPN. I guess my question then becomes, how do I hook up a PC in such a way as to be able to investigate the traffic without making it succeptible to attack from the outside. I was thinking of putting a hub on my public side with a PC that can see the traffic, but how do I make sure it doesn't get hacked?
0
 
Rich RumbleSecurity SamuraiCommented:
You cannot hack an interface with no ip... the sniffing interfaces are just there to listen, they send no traffic, they only read the traffic. There are DOS's for most of the IDS's out there, but they are able to compensate for this- and keeping up2date with patches will keep DOS'ing of your IDS down. Basically most DOS's try to fill the DB log's of the IDS or produce an exception in the TCP/IP inspection engines-

Most switches are able to do the spanning function. HP calls it mirroring
http://www.hp.com/rnd/support/faqs/sw_208_224.htm#question25
http://www.foundrynet.com/services/documentation/sribcg/Global_Features.html#24933
http://support.3com.com/infodeli/tools/switches/ss3/management/ug/cli_mg7a.htm 3com calls it port-monitoring
A hub will work, but it's sort of "gerry-rigging" in my opinon. your switch should be able to do it, unless it's a real el` cheap-o one.
-rich
0
 
cjinsocal581Commented:
Free sniffer:

http://www.ethereal.com/

Cheers.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now