Firewall Wizards mailing list archives

Re: tcpdump installation on unix firewall?

From: Lance Spitzner <lance () stan ksni net>
Date: Tue, 31 Aug 1999 09:16:35 -0500 (CDT)

On Fri, 27 Aug 1999, Robert Graham wrote:

Does it interfere with the FW-1 software?


Probably not. However, it can slow down the system. A better solution would be
to set up a separate system logging the packets "promiscuously", monitoring the
same wire as the firewall, but not actually installed on the firewall.


First, I am a big fan of using sniffers on the actual firewall for troubleshooting
purposes.  I personally believe the benefits for troubleshooting far outweigh
the risks.  

With FW-1, sniffers capture the packets BEFORE the FW-1 filter inspects the packets,
regardless if it drops/rejects/accept etc.  This way you can compare what packets
are actually going through the box to what the FW sees in its logs.  This has
proven invaluable to me in numerous troubleshooting scenarios.

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

Current thread:

tcpdump installation on unix firewall? Andreas . Bolatzki (Aug 27)
- Re: tcpdump installation on unix firewall? Matt Curtin (Aug 30)
- Re: tcpdump installation on unix firewall? Siglite (Aug 30)
- <Possible follow-ups>
- Re: tcpdump installation on unix firewall? Robert Graham (Aug 30)
  - Re: tcpdump installation on unix firewall? Lance Spitzner (Aug 31)
- Re: tcpdump installation on unix firewall? Peter J. Cherny (Aug 30)
- RE: tcpdump installation on unix firewall? jan . schultheiss (Aug 30)
- RE: tcpdump installation on unix firewall? Mason Begley (Aug 31)