Capturing Network Traffic

Capturing Network Traffic

Introduction

Capturing traffic is one of the most basic configuration skills needed for a successful IDS deployment. Capturing traffic is also one of the most misunderstood processes of deploying an IDS sensor. The axiom "if the switch port can't see the traffic, then neither can the IDS sensor" must be followed. A successful IDS sensor deployment requires that the sensor see all the traffic of interest wherever it has been placed on the network. To add to the fun of capturing traffic are virtual LANs (VLANs). And to kick up the anxiety level a notch, there are VPNs, SSL, and IP version 6. All of this must be accounted for when trying to roll out the IDS sensors. In the old days of networks, there were hubs or what is called "transparent bridges." These were very simple devices and it was easy to sniff or capture traffic since the traffic went everywhere. With the advent of switching, however, life became more difficult. The switch is nothing more than single-port transparent bridges tied to together in a common chassis. So the collision domain has been broken up but not the broadcast domain. This is why on a switched network you can capture broadcast traffic till the cows come home but not much else. We will show you in this chapter how to get around this troublesome improvement in network design. Of course, there are VLANs which thankfully many IDS sensors can work with, but this is not true of encryption. It's almost impossible to use an IDS sensor on encrypted traffic. And encryption comes in a lot of flavors nowadays. We have SSL, VPNs, IPSec, SSH, and many others. To effectively capture traffic, we must be aware of these limitations and how to get around them. One of the newest kinks in the world of IDS sensors capturing traffic is the deployment of IP version 6. While it's still not a very mainstream issue, it will be in the coming years and we need to be aware of it now.


Note

To verify that the monitoring interface actually sees traffic, use the Solaris snoop command:

snoop –d [name of interface]

For a 4230 IDS sensor, the Ethernet interface name is spwrX, as shown in the following example:

snoop –d spwr0 ; where spwr0 is the monitor interface, and
snoop –d spwr1 ; where spwr1 is the control interface
For Token Ring, the interface name is mtok36, and for FDDI, the interface name is ptpci.

For a 4210 IDS appliance sensor, the Ethernet interface name is different, as shown next:

snoop -d iprb0 ; where iprb0 is the monitor interface, and
snoop –d iprb1; where iprb1 is the control interface Use ctrl-c to break out of snoop.