On 03/03/10 08:10, Raymond Norton wrote:
> I need to set up a box at our pop to sniff inbound and outbound traffic.
> I want to set it up as a passive device, or connect to a monitoring port
> on our switch, so if the box fails it does not kill our traffic. The
> device will need to be able to monitor thousands of connections without
> choking. I am pretty sure I would only turn it on when it seemed there
> was suspicious traffic at one of our member schools. Any recommendations
> of a stable solution with a nice interface??
>
> Raymond
>    
YAY a fun question!!!

I believe tcpdump/libpcap would be the de facto standard. Plenty of 
options, runs via the terminal and has no dependency on X. If you want 
to use a PCAP port on a switch (best way) then nothing you can do on the 
sniffer box will interfere with any traffic. The issue I tend to run 
into is processing power and speed of the NIC.

The device I usually use has two NICs, one for the actual packet 
capture, the other is on the local segment and writes the PCAPs to a 
remote NFS server for safe keeping and later analysis using Wireshark, 
which has that nice interface, but also requires X and a window manager 
(or Windows). You could also substitute Wireshark for tcpdump but being 
that it is a resource hog, and tends to lag and miss packets when used 
solely for packet capture, especially under heavy loads.

This option will produce an awful lot of data to go through by hand, but 
can be filtered accordingly to your suspicions.

You may also want to look into an IDS if you are worried about possible 
intrusions, such as SNORT (the meat of the IDS/sigs/etc..) and BASE (for 
analyzing snorts findings). Again, if this was located on a PCAP port, 
it will not interfere with normal traffic.

Keep in mind, should be kept as confidential as possible, as there may 
be passwords and usernames floating around your PCAP files.

~Mr. MailingLists

Bah, Brian you beat me to it ;-) Cheers!