[clue-tech] Wireshark on Centos 5

[Jim Ockers]

Clayton Fast wrote:
> I need to analyze network traffic from a specific public IP address to 
> a production Centos 5 system but I'm concerned about running wireshark 
> on that system.  I've tried running it on a seperate PC on the network 
> but it only reports its own traffic. 
>  
> I'm looking to see if any of you have had any major problems running 
> wireshark on Centos 5.
Wireshark has worked OK for me on CentOS.  What kind of issues would you 
be concerned about?  Capturing packets on the affected system directly 
is the best approach.  You could use tcpdump to capture the packets and 
then copy the dump file to another system for analysis.  That is fairly 
low risk for a production system and might even be the best approach.

You could get wireshark on your separate PC to show all of the packets 
if you connect it to the same ethernet HUB (not switch) as your CentOS 5 
system.  Beware that putting a hub inline could significantly slow down 
traffic to/from your production CentOS 5 system.

Since hubs are not readily available these days anyway, you could 
configure a managed switch to have a "monitor port" in which a copy of 
all packets transmitted by the switch on any port is also transmitted on 
the monitor port.  That way you can connect your wireshark PC to report 
all traffic on the switch.

There are some other clever hacks you could try but those are the ones 
most likely to work.

Hope this helps,
Jim

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.ca/pason.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue-tech/attachments/20100902/a6c847cf/attachment.html