Need to monitor all network traffic with Wireshark

I am on a network where our Firewall is controlled by the IT in France.  We have zero access to it other than it's a PC box (checkpoint) sitting in our server room.  We have a 5Mbps internet connection that randomly slows down.  Sometimes it is something on our network; maybe multiple someone's watching videos.  Lately we think it's our firewall.  We are locked out from even running tracert, ping or pathping outside of our network.

We have had random slowness lately on random sites on random machines.  When we run speed tests we are getting our 5Mbps that we should be getting so it's not our ISP and it's not likely someone inside.  The likely culprit is that firewall.

I want to accomplish two things.  I want to figure out if it's our firewall.  

Also I want to be able to run wireshark on the network and see ALL traffic and not just the traffic to my port.  

We have unmanaged switches.  If we can't use our firewall is the only way to do this is to put an unswitched hub between the modem gateway and our network and then run a cable from that hub to a laptop with wireshark?  Will this work?  What other ways can we accomplish this?  Can you use wireshark on managed switches successfully or do you only see traffic on the one mirrored port?
LVL 4
norcaltyAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
stephen_c01Connect With a Mentor Commented:
This is what "I" would do.

Get one of these
http://www.netgear.com/Products/Switches/PlusSwitches/GS105E.aspx

Connect port 1 to the internet and port 2 to the existing firewall. Mirror port 1 to port 3 and port 2 to port 4

Now you can watch the traffic going between the internet and firewall.

There a other similar switch that do this, there is one that runs from USB powered but i dont trust them. As far as i know, this is the cheapest name brand switch that does this.
0
 
Mandeep KhalsaCommented:
Depending on the switch model/manufacturer there are ways to assign a single port on the switch so that you can use wireshark to capture all data. What kind of switch do you have?
0
 
aleghartCommented:
Asking or providing help for bypassing installed security is prohibited on Experts Exchange.

You've already stated that you are not the IT authority, and that existing policies prohibit you from doing the network monitoring and troubleshooting.

The SOP would be to contact your IT group and follow the proper channels.

I would not like if an employee or outside party tries to circumvent controls that I've put in place.  Whether it's hacking or false benevolence (i.e. Robin Hood of the internet), it still violates policy.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
norcaltyAuthor Commented:
ACTUALLY what I said was I do not have access to the firewall.  I am in IT here and I do have permission to run Wireshark and to do what I am asking.  It doesn't violate policy at all.

The IT group in France that controls our FW doesn't have any rules against what I am doing.  I am trying to figure out what is killing our network which is in my job description but thanks for the speech.
0
 
norcaltyAuthor Commented:
Also if you actually READ my post I didn't say anything about policy not permitting me to do network monitoring or troubleshooting.  I said that the FW rules won't let us ping or tracert out for security reasons.
0
 
aleghartCommented:
I actually did read the post.  You stated you're "on a network", which does not even indicate that you're an authorized user, much less an admin.

You also state that you don't have administrative access to the firewall, and are trying to find another way to capture network traffic due to lack of access.

If you're a network admin, imagine finding a post in a public forum from one of your users asking how to passively record all LAN activity without attracting the attention of the firewall.

Trapping/recording traffic from the entire LAN is hardly the first reasonable step.

That's like installing a wiretap on all the phones to figure out why the phone bill is so high.

Read the bill first.

The firewall logs should reveal bandwidth usage by host and port/service.  This will show you spikes in activity that would negatively impact connectivity for others users/hosts on your LAN.  On a decent firewall, these statistics can be collected for days, weeks, months.

From the firewall you can also look at current connections and their bandwidth usage and to-date consumption.  Port numbers and IP addresses of source/destination will tell you who the hogs are.

Re-inventing the wheel is possible.  Doesn't mean it's the best method.
0
 
norcaltyAuthor Commented:
Thanks for the education but I already know what a firewall CAN do... the point is they do not let us access it because they are afraid we will open up things they want blocked and therefore we must manage our network in another fashion.  AND YES I AM IN IT AND SINCE YOU ARE THE POLICE HERE (APPARENTLY) I AM ALLOWED TO MONITOR TRAFFIC.  You sure assumed a lot from my post.
0
 
norcaltyAuthor Commented:
PS aleghart -  Kindly stop posting on my thread so I can get real help like that being offered by the people above.  If you want to flame then go to the lounge.
0
 
aleghartCommented:
norcalty, take it as constructive criticism.  Take it or leave it.  Your post subject is "Need to monitor all network traffic with Wireshark".  But, the root of the problem is you have sporadic WAN bandwidth issues and don't have access to the stats from the firewall.

Recording enough LAN traffic to reproduce the firewall stats will require large amounts of data and a dedicated monitoring workstation.  Plus you'll have to learn how to use the software.

Not often considered are issues with legal and HR on the monitoring of internet activity.  Collecting statistical data is one thing.  Collecting actual LAN or WAN traffic (and storing it and analyzing it) has serious ramifications.  The "need" is just not there.  I don't see it at all.

How does recording a user's Yahoo email, or AOL chat, or Amazon shopping help troubleshoot slow WAN bandwidth?  

Including everyone's surfing in the data collection is _not_ necessary.

You need to narrow down the source of bandwidth consumption, then monitor the type and duration of traffic.  Correlate it with your perceived slowness or user complaints.  Or, don't correlate it at all, and just shut down the excessive bandwidth consumption.

None of that requires recording of all traffic.  It just requires firewall stats.
0
 
norcaltyAuthor Commented:
aleghart - I don't need your opinion and so I am going to ask you again.  STOP posting on my thread.

To those of you that posted above... these are the models of our switches.  One is managed.  The others are not.

Procurve J4095A
Procurve J3295A
Cisco 3550 Catalyst
Cisco 3500 XL Catalyst
Netgear GSM73525
0
 
aleghartCommented:
norcalty,
If you feel anything posted here has been abusive or flaming, there is a link "Request Attention" that will contact a moderator.  Any egregious comments can be removed.  You can find the link at the bottom of your original question, right side.
0
 
QlemoDeveloperCommented:
To make a point about legit or not, there is a thin line. For example, I as IT head am allowed by law to to monitor traffic, as long as I don't read it to thoroughly. A WireShark setup to only record headers would allow for traffic analysis, but not content analysis. You can determine a source of bandwidth consumption. You can do illegal things with it nevertheless, but that is subject to law and company policy.

If above would be illegit in general, we would not be allowed to talk about WireShark at all on EE.

However, analysis is much easier if the firewall provides stats. I cannot imagine the French IT is that paranoid that it would not allow for reading SNMP counters, with queries comming from a single predetermined IP address only (or even restricted to a MAC - which can be faked, however). Than you can set up a SNMP monitor software, like PRTG or Cactus, to collect anonymous stats. Or if they are paranoid, let them collect the stats, and give them to you, filtered as they like.
0
 
norcaltyAuthor Commented:
Yeah well you would think that they would give us some limited access to it.  There are dozens of smaller companies like mine that are owned by this large company in France and they are all going through the same pains we are having now.  The lack of access to tools to manage our environment is frustrating.  The only rule we have is that they manage our firewall and we are not allowed access to it.... therefore we and many other subsidiaries are forced to find other ways to manage our networks.  

We are in a paranoid industry (defense contractors) and their default answer to most requests are no.  lol  They have however said we can monitor our own traffic and even packets however we like as long as their firewall remains in place.  They are concerned with keeping traffic OUT of our network and have no rules regarding how we manage traffic on our network itself.

We don't plan to use wireshark to pickup chats, etc... I could care less and I don't have time for such things.  It's just a quick easy way to capture data and see oh... I see a lot of streaming media coming from these three IP addresses, etc.  Anyway, our company has very detailed user policy and if we decided to monitor chats we are well within our policy and legality to do so; but it's not something we plan to do at all.

We can collect our own SNMP information but we cannot access or use the firewall.  So PRTG would let us see real time traffic but wouldn't I have to set it up with the switch mentioned above and on mirrored ports so we can see all the traffic on all ports?  It would be nice to have something setup like this that monitors and logs information so we can see reports over time regarding internal traffic and internet bound traffic.

Thanks for your help!
0
 
QlemoConnect With a Mentor DeveloperCommented:
A managed switch could provide you with the SNMP stats you need. Since you will not get into the firewall, that would be my choice.
0
 
Keith AlabasterEnterprise ArchitectCommented:
What is the specification of the box hosting the firewall? A PC hosting a firewall is not something I would expect to see at a business-level environment.
You do not need to 'touch' the firewall or the network to get the information. Have you asked the French for copies of the log files that Checkpoint generates or copies of the reports that can be run so that you can identify top-ten protocol usage, top sites visited etc so that you can either prove that it is an internal issue or something outside of your control?

In a normal situation, the IT team are there to administrate and to enforce a company or organisation's policies rather than to dictate it. If they are not providing you with the information required then personally, rather than start doing something that may cause you grief or infringe upon any security conditions, then I would use the management chain to escalate the problem rather than get into a head-to-head with the IT group. If they 'own' your company then the management team will recognise that it is in their interests to be helping rather than hindering you.

Keith

0
 
Jim P.Connect With a Mentor Commented:
Another possibility is to setup a firewall system on your edge that is entirely open, just recording traffic and from there you can get your stats.
0
 
norcaltyAuthor Commented:
All three of these are great possible solutions.  I am going to try one out at time and see what nets me the best information.

Thanks everyone.
0
All Courses

From novice to tech pro — start learning today.