Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [tcpdump] Rotating pcaps vs port-mirror switch/appliance

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 5 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      IOerror
      last edited by

      Hi All,

      So I'm wanting to capture all traffic between my modem and my pfSense box and save it to my file server to analysis later.  I'm working on setting up a dedicated pcap appliance with a port mirror in the near future, but until then I'd like to try this.  Disclaimer: This is a private home network, not a business.  I own all hosts behind the firewall.

      Here's what I plan on doing:

      1.) Mount share at boot, /media/pcaps (fstab)
      2.) Setup a cron job to start tcpdump (or restart if it stops running)
      3.) Setup a netflow probe to monitor for large spikes in traffic and review that time frame later

      So here's my setup:

      [Internet]–--[Modem]–--[em0-WAN:pfSense:LAN-em1]–--[Switch/WiFi AP]–-[FreeNAS, hosts, NetFlow/Syslog server]

      Hardware:
      Intel D2500CCE Mini-ITX (Atom D2500 1.86GHz dual core)
      –Dual Intel 82574L NICs
      4GB DDR3-1333 RAM
      Intel 64GB SSD (overkill, I know, was just laying around collecting dust)
      Intel PRO/1000 PCI Gigabit NIC (soon, in the mail)

      Goals:
      Capture all traffic on WAN interface and OpenVPN clients (dunno if this is doable)
      Rotate 50*10MB pcaps, with 500MB in total (for now).  Goal is to try and have 30 days worth of data.
      Write a script to copy data from timestamp x until timestamp Y into a seperate file (huge spike happened, grab it, analyze it)

      Concerns:
      1.) Is this a bad idea?  Should I just wait until I have a dedicated box with a port-mirror capable switch/hub?
      2.) Will this eat up CPU cycles?  If so, can I force tcpdump to run on one core to minimize impact?
      3.) Will this capture all traffic before rules are applied or after?
      4.) Should I adjust the tcpdump buffer?
      5.) What are the best tcpdump options to use?
      -- Here's what I'm planning right now: 'tcpdump -i em0 -s 0 -B 1024 -KSfnNvvvXX -C 10 -W 50 -w /media/pcaps/em0.pcap'
      6.) Any suggestions for a good free netflow monitor that'll run on a Raspberry Pi?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        I would size the pcap files to something your wireshark can comfortably load.  Then keep as many of those as you need for the buffer size you want.

        You can filter larger files then load into wireshark but that's a pain.

        Would I do this at all on my firewall?  Probably not. I'd build the host and use a mirror port on the outside switch.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • I Offline
          IOerror
          last edited by

          I was planning on doing 50 captures at 10MB a piece.  Should be small enough for Wireshark to handle.

          1 Reply Last reply Reply Quote 0
          • BBcan177B Offline
            BBcan177 Moderator
            last edited by

            http://blog.securityonion.net/p/securityonion.html
            ‎
            ‎https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion
            ‎
            ‎https://groups.google.com/forum/#!forum/security-onion
            ‎
            ‎You can also disable the IDS/HIDS and just use it for full packet capture.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              @IOerror:

              I was planning on doing 50 captures at 10MB a piece.  Should be small enough for Wireshark to handle.

              I would test it and see how big you can make them, not guess at it.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                There use to be a perfect tool for this.. http://www.colasoft.com/nchronos/ had a FREE version was really sweet..  But they got rid of the free version, and the cost makes it prohibitive for home use..

                I would be interested if there was some sort of RNA appliance or packetvault appliance that could be setup.. I have been looking for an alternative to nchronos off an on since it stopped being free and have not found a good solution.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • BBcan177B Offline
                  BBcan177 Moderator
                  last edited by

                  I would be interested if there was some sort of RNA appliance or packetvault appliance that could be setup.. I have been looking for an alternative to nchronos off an on since it stopped being free and have not found a good solution.

                  Have you tried S.O. It has all those features.

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Security Onion?  Yeah so those links haven't played with in quite some time have to look into that option.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • I Offline
                      IOerror
                      last edited by

                      All,

                      Thanks for the quick replies!  As to the suggestions for Security Onion, I was already planning on this once I find a suitable bit of kit.  Frankly though, learning an entire new system is a bit much for something I'm trying to learn step by step.  I did get the message though, thank you.

                      While researching this, I still haven't found a way to capture decrypted OpenVPN traffic.  Is there a way to forward all VPN traffic from pfSense to my monitor (second NIC presumably)?  If I had a dedicated VPN device, this would be trivial.

                      Regards,
                      IOerror

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        If you capture the traffic on the lan side of pfsense, than any vpn traffic would already be decrypted..  Any traffic inside a ssl/tls connection is going to be encrypted as well.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • I Offline
                          IOerror
                          last edited by

                          So I tried what you suggested and was not able to capture any OpenVPN traffic across the LAN interface.  All I could find was State mappings for my WAN interface to my ovpns1 interface.  The only traffic I could see hit my LAN interface was when the destination was a LAN host.  So it seems that if I want to capture decrypted OpenVPN traffic, I would need to monitor the ovpns1 interface which is a virtual interface.

                          This is as it should be.  OpenVPN is a seperate collision domain, thus I would not see any of that traffic on my LAN.  So this leads me back to the same problem, how do I capture OpenVPN traffic with a dedicated packet capture device?  Theoretically, I could create a bridge between OPT1 and ovpn1s, then monitor there. I'm not even sure if this is possible (or advisable).  If it is, I imagine it would be an ugly hack.

                          Regards,
                          IOerror

                          1 Reply Last reply Reply Quote 0
                          • N Offline
                            NOYB
                            last edited by

                            If you have the private key, Wireshark should be able to decrypt the traffic, I think.  I know it can for https, have never done with OpenVPN though.  Maybe someone can confirm yea or nay.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              When I meant to capture decrypted traffic to your lan I figured you would be sniffing on a span port somewhere.  But if you sniff on pfsense lan you should see all traffic in and out of that interface.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.