You are not logged in.
So I'm trying to monitor a network full of servers for a competition we hold once a month at school. It's a simple "attack the server" competition, where the users attack the servers, some purposefully insecure while others aren't, and see who can pwn the most boxes. Not a real competition, but to just show off any "l33t hax0rz" skills they may have. Yay network security!
We didn't get a very good log of the last competition at all though, just a big tcpdump file (plain text english, not binary) of all the traffic. We were trying to read it off a projected screen to see if there were any users attacking anything other than the servers.
The network is mostly BackTrack (CD's handed out before hand) but there are some windows users, and other Linux distros. The whole network is run off a few Cisco switches (and 1 router), all fully managed. The tcpdump log was created by hooking the server into a monitoring port. (Replicating all traffic through the port, but without being able to communicate over it.)
What tools/services could I set up on an Arch box to monitor the network? Mostly I just want to watch the network, not to attack clients (to avoid causing a issues due to a false positive).
Offline
ntop.
Offline
I would setup a box with 2 NIC's between the server(s) and the switch, bridge the 2 NIC's together so the connection is transparent, then use tcpdump and wireshark to analyze. Wireshark's "Follow TCP Stream" option is great for filtering out a specific connection and seeing the connection rather than the individual packets.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Can wireshark be used in a non-graphical manner? (Potentially headless box) Or would I use tcpdump's binary logging feature, and only analyze the traffic afterwards?
Idealy, we would like some human-readable form in real time so we can see if a user is being evil and personally stop them.
Offline
Perhaps snort would be something for this: http://snort.org
RTFM or GTFO
hax0r.se
Offline
Can wireshark be used in a non-graphical manner? (Potentially headless box) Or would I use tcpdump's binary logging feature, and only analyze the traffic afterwards?
Idealy, we would like some human-readable form in real time so we can see if a user is being evil and personally stop them.
I haven't used it however wireshark comes with a console only version, wireshark-cli in extra. It can save a dump for later analysis with the GUI version.
Offline
Can wireshark be used in a non-graphical manner?
Wireshark is split out into wireshark-gtk and wireshark-cli packages in the Arch repos - so my guess would be yes...
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
Can wireshark be used in a non-graphical manner?
Yes... The command is `tshark` and takes the same options as tcpdump IIRC
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
There's also nstreams
Offline