Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Packet Capture/Audit - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Packet Capture/Audit
Curious what others are using for full packet capturing and what you think best practices/methods are. I'm currently using daemonlogger and bash scripts to pull the relevant packets. I've used Shadow (long ago) and IDABench in the past. Did a test run of OpenFPC but didn't have much success with it on my Fedora boxes. Any using any commercial products? JeffSoh

31 Posts
using snort or tcpdump with the -C switch will work. Or look at "Moloch" (… ) for a more complete solution. Johannes

4477 Posts
ISC Handler
I am also using daemonlogger to implement a circular buffer of full packet captures. I have a custom application which watches snort and other logs for "important" events. When one happens, it goes to the pcap files, extracts the event as a flow and notifies the security team for analysis. This is all automated, there is no way we can watch this all manually (about 2GB per minute of pcaps) Skip Carter

4 Posts
that custom script sounds quite nice. I think I need to implement that as well. Johannes

4477 Posts
ISC Handler
We mirror ports on a switch and simply run wireshark in whatever OS we need to use. It is brute force but very effective. We test wireless, wired connections very frequently with it. I am sure it would capture pretty much anything else we attached our system to. We even recently (last week) used this same system to capture packets from cellular modems. Not sure if this what you are looking for or not. Big "E"

9 Posts
you will decide that you just would like your laptoplaptop pcportable computer laptop computer or computer within the geographic point, or to require house with you, within the room, or perhaps at the library. wherever it's, your laptoplaptop pcportable computer laptop computer or computer sleeve can guarantee its safety in the least times.You presumably have already got many baggage that you just area unit needed to require with you all over whether or not it's a backpack, a purse, or perhaps a Anonymous

We're using Moloch now. Best solution we've come across so far. (Thanks for the tip, Dr. Ullrich). My boss came across it too and he built the Elastic Search back end and we replaced daemonlogger with it, box by box. Ran into a snag with v. 0.9.1 where the capture process would stop writing out to the pcap; v. 0.9.2 seems to have fixed this. It's very fast, good search capabilities, reconstructs files and images natively and has dozens of meta-indexed fields to search on. With a good IDS, Splunk with lots of log files feeding into it, and taps doing full packet capturing feeding Moloch, you've got a pretty rocking NSM, assuming you give Moloch and Splunk the horsepower they need to index all that data. JeffSoh

31 Posts
Sounds like you wrote a Regex script to pull pcaps on signature events from Snort. Just make sure you always pull pcaps from around that event. Don't assume that you are seeing the full attack/event from one pcap. Anonymous


Sign Up for Free or Log In to start participating in the conversation!