Track Drew
Limp Gawd
- Joined
- Dec 6, 2007
- Messages
- 511
Looking to run something as a backup to the commercial full packet capture solution we use.
I've used Niksun NetDetector, Solera DeepSee, and RSA NetWitness / Security Analytics. All have their pros and cons. They also aren't cheap and are far from perfect.
Goal is to capture all packets from our internet taps. We do some filtering on our commercial appliance to try to maximum space and do have redundancy already - so not really a secondary system, more of a tertiary.
Most simple is literally tcpdump running with a rotating output file attached to several TBs of storage. Have a cron job that then deletes the older pcaps as storage fills up. Can use tcpslice/mergecap/tcpdump to then filter these as needed.
More complicated would be something like Moloch. Although OpenFPC looks like a bit of a lighter weight alternative.
I'm also personally interested as I've been itching to get something with this capability at home.
Anyone have any experience doing this? Any advice?
I've used Niksun NetDetector, Solera DeepSee, and RSA NetWitness / Security Analytics. All have their pros and cons. They also aren't cheap and are far from perfect.
Goal is to capture all packets from our internet taps. We do some filtering on our commercial appliance to try to maximum space and do have redundancy already - so not really a secondary system, more of a tertiary.
Most simple is literally tcpdump running with a rotating output file attached to several TBs of storage. Have a cron job that then deletes the older pcaps as storage fills up. Can use tcpslice/mergecap/tcpdump to then filter these as needed.
More complicated would be something like Moloch. Although OpenFPC looks like a bit of a lighter weight alternative.
I'm also personally interested as I've been itching to get something with this capability at home.
Anyone have any experience doing this? Any advice?