On 18.05.04,17:25, Stuart Powell wrote:
Hello, everyone.
I have a SuSE 9.0 Pro machine set up with a pair of NICs that I need to use as a packet sniffer to help diagnose an issue with a Watchguard Firebox sitting on RoadRunner's residential cable network. Since RoadRunner only gives out one IP address at a time, based on MAC address, I want to have one NIC live on the inside of the firewall so I can access the machine as usual on the LAN, and the other should be on the outside of the firewall (via a hub) but be set up so as to not have an IP address. This is for two reasons:
1. As the second device behind the cable modem, it won't get an IP address. 2. So that it cannot be accessed from the Internet directly as it won't have an IP address to attack it on.
Of course, the card also needs to be in promiscuous mode in order to accept ALL packets from the network segment.
Does anyone have any links to sites or documents that would tell me how to set all this up ? I've Googled it but there's just too much dross to wade through. I've used Ethereal in the past but never on a non-addressable interface, so I don't even know if it will do it. I'm also open to suggestions on what other packet sniffing utilities might be worth using instead of Ethereal. I fairly sure it can be done, as the Oculan device does its IDS functions (which is packet capturing) on a non-addressable interface and that's a Linux based device.
In case it matters to anyone, the Watchguard Firebox (Linux based device) works great for about 28hours, at which point traffic just stops flowing. We suspect a DHCP issue, but neither the Netmaster GG-Blade (also Linux based) nor the Sonicwall Tele3TZX have been affected by this problem. The Watchguard support guys asked me to put the sniffer out there to see if we can try and see what is happening right before the traffic stops flowing. A quick reboot of the Firebox brings it back to life for another 28hrs or so.
References: http://www.watchguard.com/ http://www.sonicwall.com/ http://www.netmaster.com/ http://www.ethereal.com/ http://www.oculan.com/
Thanks much, Stuart.
You might try to use Snort as a sniffer:
http://www.snort.org/
By setting it up with the right logging you should be able to find out
some clues about the Firebox.
http://www.snort.org/docs/snort_manual/node5.html
Ethereal should be able to work with these data.
- Jostein
--
Jostein Berntsen