This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

recording traffic at the gateway

0

hi, somebody is constantly hacking my firewall. which way is there to record traffic at the gateway (which is a modem-router in my case)?

do i need a hub where a second pc is running on which wireshark is recording? is there any tutorial on how to do this?

a total beginner

asked 09 Dec '10, 07:59

C8H10N4O2's gravatar image

C8H10N4O2
1111
accept rate: 0%

edited 29 Feb '12, 19:01

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


6 Answers:

0

Is the device that you are calling the firewall and "modem-router" the same device? And by modem-router, is that terminating a DSL or cable modem connection? If so, you are going to have difficulty capturing in front of it. If this is all one device, it could conceivably log the information to a syslog server on the private side. This does not give you the detail that you could see if you could capture packets on the public side. The reason that your ability to capture in front of it is limited (again, assuming this is a single device) is that you would need hardware capability to sniff the connection. It's not likely that you have this hardware.

If you have a cable or dsl connection terminating in what you are calling a modem-router and your firewall is behind it, then you could capture traffic between the two. This would involve the standard methods.

1) A hub with the modem-router, firewall and capture pc.

2) A switch with span (or monitor) capability and the above devices connected

3) Network TAPs

Please post back where you need clarification to this.

answered 09 Dec '10, 17:56

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%

0

dear paul:

thank you for your feedback! the device is a modem and can be used as a router too. I guess I will run it only as a modem. I have a zyxel router/firewall too. do I need a hub or a switch (I have all the stuff stored in the company, so no problem at all. what would be the best configuration?

thanks

mike

answered 10 Dec '10, 04:22

C8H10N4O2's gravatar image

C8H10N4O2
1111
accept rate: 0%

0

dear paul:

thanks for your feedback! the device is a modem and can be used as a router too. I guess I will run it only as a modem. I have a zyxel router/firewall too which I can put right after the modem. do I need a hub or a switch (monitored port) (I have all the stuff stored in the company, so no problem at all. what would be the best configuration?

thanks

mike

answered 10 Dec '10, 04:23

C8H10N4O2's gravatar image

C8H10N4O2
1111
accept rate: 0%

0

If you run it as a modem only, it should basically be a bridge from your flavor of broadband to Ethernet. So you can then capture traffic between the modem and your firewall. To do so a 'dumb' hub connected to a capture station would suffice. The side effect of this is that the communication will drop to half duplex. I have seen cases where a hub isn't necessarily just a hub. So just be for warned, that the oldest, simplest, single speed hub you can find is the one that will always work.

A switch has the added advantage of allowing full duplex communication to continue. However, it requires configuration and not all switches are capable of this span or monitor mode.

answered 10 Dec '10, 04:40

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%

0

dear paul:

can you give me a hint, in which way the recording system should be configured due to safety aspects? I would like to use this setup regarding forensics / proof of evidence.

is there any way to ensure that the recording system won't be corrupted. should I use linux? windows without web access / EFS-filesystem for the recording device?

can the traffic which is recorded be secured by hash-code in any way so you really get proof?

best regards

max

answered 28 Dec '10, 04:24

C8H10N4O2's gravatar image

C8H10N4O2
1111
accept rate: 0%

0

A capture that will withstand forensic scrutiny brings up several concerns. For example:

1) was every related packet captured

2) were any packets corrupted during the capture process

3) were the capture file(s) modified post capture

I'm not sure I can answer them all. Each frame has a hash, but that would only help authenticate a capture file if that hash could be written to another secure location during the capture process. Missing frames are always possible due to various issues. For example, if the switch span port was changed or if capacity was exceeded.

I think, as you suggested, post capture storage security is about the best we can do. So it would be nice to md5 each file as soon as writing is complete. It would also be good to audit the file system and record the md5 hash externally (to another destination). Beyond that, general security best practices. Since this does not fully address your concerns, I'll be watching for other's comments as well.

answered 29 Dec '10, 05:34

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%