[tcpdump] Rotating pcaps vs port-mirror switch/appliance
-
I was planning on doing 50 captures at 10MB a piece. Should be small enough for Wireshark to handle.
-
http://blog.securityonion.net/p/securityonion.html
https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion
https://groups.google.com/forum/#!forum/security-onion
You can also disable the IDS/HIDS and just use it for full packet capture. -
I was planning on doing 50 captures at 10MB a piece. Should be small enough for Wireshark to handle.
I would test it and see how big you can make them, not guess at it.
-
There use to be a perfect tool for this.. http://www.colasoft.com/nchronos/ had a FREE version was really sweet.. But they got rid of the free version, and the cost makes it prohibitive for home use..
I would be interested if there was some sort of RNA appliance or packetvault appliance that could be setup.. I have been looking for an alternative to nchronos off an on since it stopped being free and have not found a good solution.
-
I would be interested if there was some sort of RNA appliance or packetvault appliance that could be setup.. I have been looking for an alternative to nchronos off an on since it stopped being free and have not found a good solution.
Have you tried S.O. It has all those features.
-
Security Onion? Yeah so those links haven't played with in quite some time have to look into that option.
-
All,
Thanks for the quick replies! As to the suggestions for Security Onion, I was already planning on this once I find a suitable bit of kit. Frankly though, learning an entire new system is a bit much for something I'm trying to learn step by step. I did get the message though, thank you.
While researching this, I still haven't found a way to capture decrypted OpenVPN traffic. Is there a way to forward all VPN traffic from pfSense to my monitor (second NIC presumably)? If I had a dedicated VPN device, this would be trivial.
Regards,
IOerror -
If you capture the traffic on the lan side of pfsense, than any vpn traffic would already be decrypted.. Any traffic inside a ssl/tls connection is going to be encrypted as well.
-
So I tried what you suggested and was not able to capture any OpenVPN traffic across the LAN interface. All I could find was State mappings for my WAN interface to my ovpns1 interface. The only traffic I could see hit my LAN interface was when the destination was a LAN host. So it seems that if I want to capture decrypted OpenVPN traffic, I would need to monitor the ovpns1 interface which is a virtual interface.
This is as it should be. OpenVPN is a seperate collision domain, thus I would not see any of that traffic on my LAN. So this leads me back to the same problem, how do I capture OpenVPN traffic with a dedicated packet capture device? Theoretically, I could create a bridge between OPT1 and ovpn1s, then monitor there. I'm not even sure if this is possible (or advisable). If it is, I imagine it would be an ugly hack.
Regards,
IOerror -
If you have the private key, Wireshark should be able to decrypt the traffic, I think. I know it can for https, have never done with OpenVPN though. Maybe someone can confirm yea or nay.
-
When I meant to capture decrypted traffic to your lan I figured you would be sniffing on a span port somewhere. But if you sniff on pfsense lan you should see all traffic in and out of that interface.