Re: TCPDUMP ... Logging far too much traffic ?
From: Brad Arlt (arlt@cpsc.ucalgary.ca)Date: 10/08/02
- Previous message: Andre Guimaraes: "RES: Is SSH worth it??"
- In reply to: counterping@uk2.net: "TCPDUMP ... Logging far too much traffic ?"
- Next in thread: Alexandros Papadopoulos: "Re: TCPDUMP ... Logging far too much traffic ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 8 Oct 2002 11:20:41 -0600 From: Brad Arlt <arlt@cpsc.ucalgary.ca> To: counterping@uk2.net
On Tue, Oct 08, 2002 at 02:32:09PM +0000, counterping@uk2.net wrote:
> Newbie to the World of TCPDUMP.
>
> I am running Snort IDS.
> I have recently been interested in also logging ALL traffic that comes in/out
> my network via TCPDUMP (ip headers atleast).
> This is really for the purpose of Forensics etc etc and would be cool to zip up
> and store away.
>
> In the future I would also like to install SHADOW at some point to run these
> dumps for anomalies.
>
> However, the amount of data is silly !!
> 200 MB per HOUR !! This is far too much data to log and store away ?
You have a slow network ;)
> My question being ....
> Does anyone log ALL IP Headers IN+OUT of there Networks ?
> Should we be doing this ? Is it a good idea to take this approach ?
> Any ideas suggestions would be appreciated.
Cisco has something called (I think) NetFlow. It records connections
(who was involved, start time, and duration). This is likely as far
as you want to go.
I thought about doing something similar as yourself, but the amount of
data is downright silly.
Unless you are doing an active investigation (in which case you want
*all* the packet), I would give up on trying to gather all TCP/IP
headers. Stick with connections and "wierd" packets (all or none of
the TCP connection state flags set; that sort of thing). The
"everything is ok" alarm gets tiresome and costly after a while.
ntop or iptraf might do what you are after without the obscene amount
storage. I don't recall the URLs, search google.ca or
securityfocus.com.
PS Make sure the tcpdump session isn't sniffing your tcpdump session
going back over an ssh (or other remote connection).
*That* generates a bit of network traffic too.
-----------------------------------------------------------------------
__o Bradley Arlt Security Team Lead
_ \<_ arlt@cpsc.ucalgary.ca University Of Calgary
(_)/(_) I should be biking right now. Computer Science
- Previous message: Andre Guimaraes: "RES: Is SSH worth it??"
- In reply to: counterping@uk2.net: "TCPDUMP ... Logging far too much traffic ?"
- Next in thread: Alexandros Papadopoulos: "Re: TCPDUMP ... Logging far too much traffic ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
