This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark auditing

0

Hi,

i have dedicated linux server for running wireshark in order to do network analysis when needed. It has very restrictive access but anyway we would like to achieve some sort of logging of what and when are users capturing using wireshark on this machine. Since wireshark and its utilites are not providing any logging capabilities i wonder how can we achieve logging.

I was thinking about writing warpper around /usb/bin/dumpcap in order to generate syslog messages and spawn the real dumpcap binary. I think that would be stupid but simple solution so im looking for something more elegant.

It would be the best if wireshark would provide logging functionalities so I appeal to wireshark developers to think about it while im looking for alternatives.

Thank you in advance for tips and hints. klodovic

asked 10 Jun '13, 04:24

klodovic's gravatar image

klodovic
42116
accept rate: 0%


2 Answers:

1

I was thinking about writing wrapper around /usb/bin/dumpcap

Any wrapper solution can be bypassed by the users, by calling the binary itself, instead of the wrapper script.

I suggest to use the Linux auditing system: http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html

i have dedicated linux server for running wireshark in order to do network analysis when needed. It has very restrictive access

As you mentioned, Wireshark is a network analysis/troubleshooting tool. Why would you want to restrict or log the use of Wireshark?

Regards
Kurt

answered 10 Jun '13, 08:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 11 Jun '13, 03:07

Network monitoring sessions are privacy concern of many users who are being monitored. So the process of monitoring has to be approved and supervised by person who is not network analyst itself and session must be covered with auditing logs in order to satisfy user's privacy concern and to let network analysts know that they have been supervised.

(10 Jun '13, 09:15) klodovic

Thank you, auditd is the right thing!

(10 Jun '13, 10:39) klodovic

Network monitoring sessions are privacy concern of many users who are being monitored

be careful not to make a 'logical error' by believing that restricted or logged access to wireshark will solve your security issues! In fact that kind of logging/restriction will not stop a user to sniff the network with a private laptop, unless you have appropriate security solutions in place in your network that prevent it (as far as possible).

(10 Jun '13, 11:30) Kurt Knochner ♦

Im aware of that. Thank you anyway for pointing out!

(10 Jun '13, 11:45) klodovic

I think the key there is that it's a dedicated server. Most likely it's the only system in the line of path to receive the sensitive data in question, so it becomes a matter of securing access to capturing data on that server, not sniffing the network on a laptop. Of course, plugging a laptop into the server's network cables physically is going to be possible, but physical security is always a hard thing to account for.

(11 Jun '13, 20:44) Quadratic

0

One solution is that you could limit dumpcap to only be executable by root and a system account, write your wrapper with your log file push, and set the wrapper with a sticky bit to run as that special system user when calling dumpcap. That way the binary is locked down for direct access and you force the wrapper on people.

I think the key for those other security concerns in comments is that it's a dedicated server. Most likely it's the only system in the line of path to receive the sensitive data in question, so it becomes a matter of securing access to capturing data on that server, not sniffing the network on a laptop. If that's the case, especially since you already have an approval process you might even consider disabling the feeds into the server that have the sensitive data and enable them (taps, span ports, whatever) as part of the approval process for performing the capture.

answered 11 Jun '13, 20:55

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%