Re: [SLE] Looking for info on setting up a packet sniffer

19 May 2004

      On 18.05.04,17:25, Stuart Powell wrote:
...
Hello, everyone.
I have a SuSE 9.0 Pro machine set up with a pair of NICs that I need to
use as a packet sniffer to help diagnose an issue with a Watchguard
Firebox sitting on RoadRunner's residential cable network.  Since
RoadRunner only gives out one IP address at a time, based on MAC
address, I want to have one NIC live on the inside of the firewall so I
can access the machine as usual on the LAN, and the other should be on
the outside of the firewall (via a hub) but be set up so as to not have
an IP address.  This is for two reasons:
1.  As the second device behind the cable modem, it won't get an IP
address.
2.  So that it cannot be accessed from the Internet directly as it
won't have an IP address to attack it on.
Of course, the card also needs to be in promiscuous mode in order to
accept ALL packets from the network segment.
Does anyone have any links to sites or documents that would tell me how
to set all this up ?  I've Googled it but there's just too much dross to
wade through.  I've used Ethereal in the past but never on a
non-addressable interface, so I don't even know if it will do it.  I'm
also open to suggestions on what other packet sniffing utilities might
be worth using instead of Ethereal.  I fairly sure it can be done, as
the Oculan device does its IDS functions (which is packet capturing) on
a non-addressable interface and that's a Linux based device.
In case it matters to anyone, the Watchguard Firebox (Linux based
device) works great for about 28hours, at which point traffic just stops
flowing.  We suspect a DHCP issue, but neither the Netmaster GG-Blade
(also Linux based) nor the  Sonicwall Tele3TZX have been affected by
this problem.  The Watchguard support guys asked me to put the sniffer
out there to see if we can try and see what is happening right before
the traffic stops flowing.  A quick reboot of the Firebox brings it back
to life for another 28hrs or so.
References:
http://www.watchguard.com/
http://www.sonicwall.com/
http://www.netmaster.com/
http://www.ethereal.com/
http://www.oculan.com/
Thanks much,
Stuart.
You might try to use Snort as a sniffer: 

http://www.snort.org/

By setting it up with the right logging you should be able to find out 
some clues about the Firebox. 

http://www.snort.org/docs/snort_manual/node5.html

Ethereal should be able to work with these data. 

- Jostein

-- 
Jostein Berntsen 