On 03/03/10 08:10, Raymond Norton wrote: > I need to set up a box at our pop to sniff inbound and outbound traffic. > I want to set it up as a passive device, or connect to a monitoring port > on our switch, so if the box fails it does not kill our traffic. The > device will need to be able to monitor thousands of connections without > choking. I am pretty sure I would only turn it on when it seemed there > was suspicious traffic at one of our member schools. Any recommendations > of a stable solution with a nice interface?? > > Raymond > YAY a fun question!!! I believe tcpdump/libpcap would be the de facto standard. Plenty of options, runs via the terminal and has no dependency on X. If you want to use a PCAP port on a switch (best way) then nothing you can do on the sniffer box will interfere with any traffic. The issue I tend to run into is processing power and speed of the NIC. The device I usually use has two NICs, one for the actual packet capture, the other is on the local segment and writes the PCAPs to a remote NFS server for safe keeping and later analysis using Wireshark, which has that nice interface, but also requires X and a window manager (or Windows). You could also substitute Wireshark for tcpdump but being that it is a resource hog, and tends to lag and miss packets when used solely for packet capture, especially under heavy loads. This option will produce an awful lot of data to go through by hand, but can be filtered accordingly to your suspicions. You may also want to look into an IDS if you are worried about possible intrusions, such as SNORT (the meat of the IDS/sigs/etc..) and BASE (for analyzing snorts findings). Again, if this was located on a PCAP port, it will not interfere with normal traffic. Keep in mind, should be kept as confidential as possible, as there may be passwords and usernames floating around your PCAP files. ~Mr. MailingLists Bah, Brian you beat me to it ;-) Cheers!