Re: WinPcap 3.0 supports remote capture

["sunzi" <sunzi () mod-x co uk>]

Agreed!

I've been toying with a couple concepts, mostly for remote servers/lan's,
where, in order to see the actual packet, you have to login to the triggered
sensor and retreive it. This seems to be a first step in being able to
produce a complete picture in a centralized location from many remote
locations.

My initial scenario was a SOC in 'Company HQ' and many sensors at remote
locations, with no remote expertise to manage them. This scenario would
still have remote sensing, but still allow the centralized SOC to have the
info at their fingertips instead of having to do a remote login, or walk the
local admin through picking the relevant files from the sensors.

sunzi

----- Original Message ----- 
From: "Esler, Joel Contractor" <EslerJ () RCERT-S ARMY MIL>
To: <Snort-users () lists sourceforge net>
Sent: Tuesday, June 24, 2003 9:22 AM
Subject: RE: [Snort-users] WinPcap 3.0 supports remote capture


> Every once in awhile, you see a topic that pops up on the 10+ listservers
> that I am on that deserves a comment.  :)
>
> This could be an answer for many remote management theories...
>
> One snort box, or what not, with a database, ACID, and snort on it.
>
> Several basic loads, with remote capture reporting back to this snort box.
> It would require little to no user interaction.  Just a nic card.  This
has
> WAY too many possibilites.
>
> J
>
> -----Original Message-----
> From: Richard Bejtlich [mailto:richard_bejtlich () yahoo com]
> Sent: Monday, June 23, 2003 11:30 PM
> To: Snort-users () lists sourceforge net
> Subject: [Snort-users] WinPcap 3.0 supports remote capture
>
>
> Yesterday I mentioned SVtun
> (http://www.cs.tau.ac.il/~nnavi/vtun/) for capturing
> packets on one Linux device and analyzing them on a
> separate Linux device, in response to a question on
> doing the same with Windows and Linux.  It appears
> that WinPcap 3.0, released 10 Apr 03 and updated to
> 3.01 alpha on 13 Jun, supports this experimentally.
> > From the documentation
> (http://winpcap.polito.it/docs/man/html/group__remote__help.html):
>
> "This is an highly experimental feature that allows
> [you to] interact [with] a remote machine and capture
> packets that are being transmitted on the remote
> network. This requires a remote daemon (called rpcapd)
> which performs the capture and sends data back and a
> local client that sends the appropriate commands and
> receives the captured data." What is even cooler --
> "The [Remote] daemon [rpcapd] can be compiled and it
> is actually working on Linux as well."
>
> Sincerely,
>
> Richard Bejtlich
> richard at taosecurity dot com
> http://taosecurity.com
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users