Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Capturing packets...

Status
Not open for further replies.

Denda

MIS
Oct 30, 2001
237
US
I know this may be the most stupid question here, but I'm having a heck of a time figuring this out...

We have NI Observer & a consultant (that is no longer here) created the setup to capture data & what not.. Long story short, the pc that Observer was on crashed. I re-installed the application, but am clueless on how to get it to capture packets again.. I can figure it out internally, but I can't figure out how to do it from the inside out.

I then read about how easy sniffer was, I downloaded the trial version & still can't figure it out.

We have some data that we ftp from an internal server to an external ftp server. Every once in a while the data does not get there... My firewall logs show everything is fine (checkpoint), but I know I need to see the actual data flowing from one port to the other... How can I do this on Observer or Sniffer?

Thanks a ton..
 
The simplest way to do so is installing the Sniffer or any analyzer on the client PC. Start capturing before you do everything on the client PC, such as the ftp session or web browsing. The analyzer of Sniffer captures all packets to and from the client PC.

Hope it is what you're looking for.
 
Thanks, but I understand how to produce the data I need sniffed. I just don't understand how to setup the outside (external) portion of it. Thanks anyways.
 
I am sorry if I misunderstood your question well. What do you mean by the outside (external) portion? Do you mean the physical connection of the NIC cable?
 
We have data that we ftp from our internal network through our firewall, then through the DMZ out to a customers ftp server on their public ftp server. Some of our ftp's are not making it there per the customer. My firewall logs show that they get that through the firewall fine, but I need a way to see the data after it leaves our firewall & out to the wild. Thanks
 
Put a sniffer between the firewall and the router.


I know what I know and that's all I know. What I don't know I'll find out.
 
I've built a sniffer laptop with 3 different IDS apps on it.. :eek:)

Snort
netasyst
packetyzer

Which would you suggest would be the best quick 'n dirty capture? Also, is there somewhere that I can research on how to hook the sniffer laptop up properly between the firewall & the router? I apologize for the stupid simplistic questions, but I'm really frustrated with myself on not doing this more often to keep up with it. The last time I did this was over a year ago & a consultant was here & showed me how to do it. Did I take notes? Of course not...

thank you in advance
 
Any one of those products would do the trick.

To put the sniffer between the firewall and the external router, you will need a smart switch or a hub; preferably a smart switch that can mirror ports. A hub would do it but will slow things down a bit. Besides, all you really want to know is where the files are going once they leave your firewall, right?

If you can, just as a test, put a PC/laptop outside and send the files and see if they get to their destination OK.

I know what I know and that's all I know. What I don't know I'll find out.
 
Thanks a ton. I'll try that & report back. Have a great day.
 
Well, there are two typical ways to do the capture.
First is spanning. Presuming the firewall is connected to a switch, just simply configure mirroring the port onto a span port which is connected to the anaylzer.
Second way is tapping. It requires a passive network tap equipment to copy the traffic to the analyer. But it requires a downtime to do so.
 
The tapping can be a very effective approach, espically if you're looking for layer 1 and Layer 2 errors (which are discared at port level by networks switches and not propogated to the SPAN or mirror port). Keep in mind that with Sniffer or the other programs you've mentioned, you can look only at ingress or egresss traffic one side at a time if this is a full duplex link.

There are a few solutions that enable you to see both sides of the full duplex conversation simultaneously

1) expensive - a dual receive analyzer such as the Shmiti THG or the new Sniffer Distributed Full Duplex appliance

2) much cheaper but still a bit pricey - an aggregation tap that combines the two sides of the full duplex conversation and hand the single data stream off to a standard monitor card. These are known as "aggregation taps", are good for use in full duplex links with overall utilization up to but not exceeding 50%, and are available from several tap manufacturers.

Owen O'Neill
Datacom Systems Inc.
Northeastern SE
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top