Monitoring port?

soft0 · Dec 11, 2006, 9:58 AM

Is there a function like monitoring port? (or monitoring ip?) so you send all information to another computer for analysis?

hoba · Dec 11, 2006, 10:32 AM

status>systemlog, settings. Set up a remote syslogserver and send your logs there. Additionally you can monitor by using services>snmp.

soft0 · Dec 11, 2006, 1:53 PM

@hoba:

status>systemlog, settings. Set up a remote syslogserver and send your logs there. Additionally you can monitor by using services>snmp.

But the syslogserver does only handle the logs. I want o have all the data to another computer for analysing. Lots of switches has the option "monitoring port" then it sends all the data that goes through the switch to this port….

hoba · Dec 11, 2006, 4:09 PM

You want to sniff your clients connections? That's not doable yet. You have to use a switch which is capable to do so or simply a hub.

soft0 · Dec 11, 2006, 5:37 PM

Since i didnt find the option in pfsense i thougt about the hub-thingie, before… thats a workable sollution, to still have my clients in a switched environment i could set it up like this.

pfsense -> hub -> switch -> clients

and just have the "listening computer" connected to the hub...

I'll guess i have to do so untill the function "appears" :)

Thanks for the help!

squarepusher · Dec 11, 2006, 5:43 PM

Man in the middle attack with the help of arp-poisioning works well in a switched enviroment, the only downside is that it might add alot of latency in the local network. Have a look at:
http://ettercap.sourceforge.net/

hoba · Dec 11, 2006, 8:23 PM

http://www.oxid.it/cain.html is very powerfull for arp poisened sniffing too but these kind of stuff can be detected. the Hub is probably the easier more "invisible" way to do it.