[tcpdump] Rotating pcaps vs port-mirror switch/appliance

IOerror

I was planning on doing 50 captures at 10MB a piece.  Should be small enough for Wireshark to handle.

BBcan177

http://blog.securityonion.net/p/securityonion.html
‎
‎https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion
‎
‎https://groups.google.com/forum/#!forum/security-onion
‎
‎You can also disable the IDS/HIDS and just use it for full packet capture.

Derelict

@IOerror:

I was planning on doing 50 captures at 10MB a piece.  Should be small enough for Wireshark to handle.

I would test it and see how big you can make them, not guess at it.

johnpoz

There use to be a perfect tool for this.. http://www.colasoft.com/nchronos/ had a FREE version was really sweet..  But they got rid of the free version, and the cost makes it prohibitive for home use..

I would be interested if there was some sort of RNA appliance or packetvault appliance that could be setup.. I have been looking for an alternative to nchronos off an on since it stopped being free and have not found a good solution.

BBcan177

I would be interested if there was some sort of RNA appliance or packetvault appliance that could be setup.. I have been looking for an alternative to nchronos off an on since it stopped being free and have not found a good solution.

Have you tried S.O. It has all those features.

johnpoz

Security Onion?  Yeah so those links haven't played with in quite some time have to look into that option.

IOerror

All,

Thanks for the quick replies!  As to the suggestions for Security Onion, I was already planning on this once I find a suitable bit of kit.  Frankly though, learning an entire new system is a bit much for something I'm trying to learn step by step.  I did get the message though, thank you.

While researching this, I still haven't found a way to capture decrypted OpenVPN traffic.  Is there a way to forward all VPN traffic from pfSense to my monitor (second NIC presumably)?  If I had a dedicated VPN device, this would be trivial.

Regards,
IOerror

johnpoz

If you capture the traffic on the lan side of pfsense, than any vpn traffic would already be decrypted..  Any traffic inside a ssl/tls connection is going to be encrypted as well.

IOerror

So I tried what you suggested and was not able to capture any OpenVPN traffic across the LAN interface.  All I could find was State mappings for my WAN interface to my ovpns1 interface.  The only traffic I could see hit my LAN interface was when the destination was a LAN host.  So it seems that if I want to capture decrypted OpenVPN traffic, I would need to monitor the ovpns1 interface which is a virtual interface.

This is as it should be.  OpenVPN is a seperate collision domain, thus I would not see any of that traffic on my LAN.  So this leads me back to the same problem, how do I capture OpenVPN traffic with a dedicated packet capture device?  Theoretically, I could create a bridge between OPT1 and ovpn1s, then monitor there. I'm not even sure if this is possible (or advisable).  If it is, I imagine it would be an ugly hack.

Regards,
IOerror

NOYB

If you have the private key, Wireshark should be able to decrypt the traffic, I think.  I know it can for https, have never done with OpenVPN though.  Maybe someone can confirm yea or nay.

johnpoz

When I meant to capture decrypted traffic to your lan I figured you would be sniffing on a span port somewhere.  But if you sniff on pfsense lan you should see all traffic in and out of that interface.