Packet Sniffer - Alternate Drive

changeip · Thu Feb 03, 2005 11:03 pm

I would love to be able to specify an alternate / secondary hard drive for packet captures. This keeps me from having to use TZSP which is a PIA. If this can't be added to 2.8.x maybe a thought for 2.9? I'd love to dedicate a disk (besides my flash drive) for running long packet captures when trying to track down botnets, etc.

Sam

tully · Fri Feb 04, 2005 1:13 pm

In the current version and v2.9, you can stream this to a server.

John

changeip · Fri Feb 04, 2005 6:11 pm

This is what I have been doing, but TZSP encapsulates the packet and then its not the exact same as if you captured it locally, correct? Its hard to do analysis on something when you have to deal with the TZSP layer on top of everything.

We just went through a 250mbps ddos attack yesterday. Having the TZSP logging pretty much makes it impossible to run the pcap through any analysis tools because barely anything understands TZSP. In my next router build I will use a hard disk, but it would be nice for my other machines.

Thanks for the thought,
Sam

tully · Mon Feb 07, 2005 11:30 am

We will think about this, but I don't know that we have enough support already to make it simple to add.

John

wildbill442 · Mon Feb 07, 2005 11:40 am

how does the streaming server work? what client/daemon do you have to have on the server to capture this stream?

changeip · Mon Feb 07, 2005 6:33 pm

We will think about this, but I don't know that we have enough support already to make it simple to add.

John

John,

Thank you :) I'm building the new firewall today and plan on just using a hard disk for now - but thanks for keeping this in mind.

Sam