Mailinglist Archive: opensuse (4547 mails)

< Previous Next >
Re: [SLE] Looking for info on setting up a packet sniffer
  • From: John Lalla <john.lalla@xxxxxxx>
  • Date: Wed, 26 May 2004 03:14:07 -0700
  • Message-id: <20040526101407.GA8934@xxxxxxxxxxxxxxxxxxxxxx>
On Wed, May 19, 2004 at 01:46:03PM +0200, Jostein Berntsen wrote:
> On 18.05.04,17:25, Stuart Powell wrote:
> > Hello, everyone.
> >
> > I have a SuSE 9.0 Pro machine set up with a pair of NICs that I need to
> > use as a packet sniffer to help diagnose an issue with a Watchguard
> > Firebox sitting on RoadRunner's residential cable network. Since
> > RoadRunner only gives out one IP address at a time, based on MAC
> > address, I want to have one NIC live on the inside of the firewall so I
> > can access the machine as usual on the LAN, and the other should be on
> > the outside of the firewall (via a hub) but be set up so as to not have
> > an IP address. This is for two reasons:
> >
> > 1. As the second device behind the cable modem, it won't get an IP
> > address.
> > 2. So that it cannot be accessed from the Internet directly as it
> > won't have an IP address to attack it on.
> >
> > Of course, the card also needs to be in promiscuous mode in order to
> > accept ALL packets from the network segment.
> >
> > Does anyone have any links to sites or documents that would tell me how
> > to set all this up ? I've Googled it but there's just too much dross to
> > wade through. I've used Ethereal in the past but never on a
> > non-addressable interface, so I don't even know if it will do it. I'm
> > also open to suggestions on what other packet sniffing utilities might
> > be worth using instead of Ethereal. I fairly sure it can be done, as
> > the Oculan device does its IDS functions (which is packet capturing) on
> > a non-addressable interface and that's a Linux based device.
> >
> > In case it matters to anyone, the Watchguard Firebox (Linux based
> > device) works great for about 28hours, at which point traffic just stops
> > flowing. We suspect a DHCP issue, but neither the Netmaster GG-Blade
> > (also Linux based) nor the Sonicwall Tele3TZX have been affected by
> > this problem. The Watchguard support guys asked me to put the sniffer
> > out there to see if we can try and see what is happening right before
> > the traffic stops flowing. A quick reboot of the Firebox brings it back
> > to life for another 28hrs or so.
> >
> > References:
> >
> >
> >
> >
> >
> >
> > Thanks much,
> > Stuart.
> You might try to use Snort as a sniffer:
> By setting it up with the right logging you should be able to find out
> some clues about the Firebox.
> Ethereal should be able to work with these data.
> - Jostein
> --
> Jostein Berntsen <jbernts@xxxxxxxxxxxx>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
I would have to concur with the above post. This said, however, your query is less SuSE specific than it is sys admin related in general. Therefor, I would recommend you head over to "full-disclosure" and post the same question.

The FD list is populated by some of the most experienced and knowledgeable admins in the world - no joke. Your bound to get some useful guidance from them. Unfortunately, there are many script kiddies who infiltrate the list, so I recommend you avoid ever opening an attachment or accepting a link from the list without paying attention first. These kids wish they were real hackers and have something to prove. If you're running *nix in some form, which you obviously are, you'll have nothing to fear.



John Lalla
Santa Barbara CA

.~. _
/v\ -o)
no gates... /( )\ /\\ running GNU/Linux
no windows! ^^^^^ _\_v free at last!

"Only those who attempt the absurd can achieve the impossible."
"Those who would trade liberty for security deserve neither."
- Benjamin Franklin
< Previous Next >