Security Basics mailing list archives

Re: monitor traffic on host

From: Steven Hollingsworth <steven () aznc com>
Date: Tue, 18 Sep 2007 11:23:48 -0700

On Fri, Sep 14, 2007 at 07:40:55PM -0700, Kelly Keeton wrote:

I have a issue where I have been asked to monitor all web traffic on a
employee. I need to as quick as possible set up a transparent device
that will monitor and log all web traffic in the clear. anything sent
or rx over the network. ideally it would also monitor smtp, ft, etc. i
need real time reporting so tcpdump wont work, snort also i dont think
is the correct answer. is there any "prebuilt" knoppix or vm-appliance
that will accomplish this?


I'd suggest making a bridge [0] with a live cd distro such as backtrack
or knoppix-std, use tcpdump to capture traffic going to and from the
users IP or MAC address and use chaosreader to assemble the packets [1].

It'll capture all non-encrypted traffic you need and put it in human
readable form. Just have plenty of hard drive space available if you're
going to sniff for a long time.


[0] - http://gentoo-wiki.com/HOWTO_setup_a_gentoo_bridge
      you should able to glean what you need script wise here or just
      search "linux bridge howto" on google
[1] - http://chaosreader.sourceforge.net/

Attachment: _bin
Description:

Current thread:

monitor traffic on host Kelly Keeton (Sep 18)
- RE: monitor traffic on host Weir, Jason (Sep 18)
- RE: monitor traffic on host TVB NOC (Sep 18)
- RE: monitor traffic on host Sentissi, Mohamed (Simo) (Sep 18)
- Re: monitor traffic on host Steven Hollingsworth (Sep 18)
- Re: monitor traffic on host Kurt Buff (Sep 18)
- <Possible follow-ups>
- Re: monitor traffic on host network_intern (Sep 18)