Friday, July 18, 2008

DIY Packet Sniffer

This isn’t going to put Netscout or Network Instruments out of business anytime soon, but if you have a network with several switches eventually you are going to run into a problem where you’re going to need the ability to do a packet capture and I’m here to show you how to build your own.

The first thing to note is that this is not meant to be a line rate packet capture system so don’t come into this thinking your going to be able to capture several Gigabit Ethernet interfaces. The idea is to be able to have a system deployed that you can access remotely to do basic packet captures without having to take a laptop out and plug into a switch.

The first thing that you should identify is the hardware you want to use. I would recommend that you have a recent processor (2Ghz+) and plenty of memory (2GB+) in the system. You want to make sure that you have plenty of memory because the packets will be stored in memory. From there, I just loaded up the system with dual port NICS (I recommend Intel NICS due to their ability to capture packets with VLAN tags). I used the Intel PRO 100/S Dual Port Server NICS (as used Compaq DL380 G2 servers for my hardware base). You can find a list of NIC's that support Dot1Q VLAN tags and how to modify the registry to capture them here:


http://www.intel.com/support/network/sb/CS-005897.htm
As far as OS goes, I went the cheap route and used Windows XP Pro (which is interesting to install on server hardware). This allows you to natively use the Remote Desktop Protocol (RDP) to access the system. However, Windows is not a requirement and Linux is a better option when it comes to trying to capture at speeds approaching line rate.

For software I decided to use the tried and true, free and open source Wireshark (formerly known as Ethereal). Wireshark uses the libpcap library (WinPCAP on Windows) to capture packets just like tcpdump. Where Wireshark really excels is in its filtering ability. The ability to easily write filter strings based on any field in a packet makes it my choice for even decoding packet captures that I get from our Infinitstream sniffers.

I would also recommend installing Cisco Discovery Protocol Reporter (CDPR) on the system if you’re connecting up to Cisco switches. This can be helpful it you have a “Roaming” port on your sniffer that you move to different switches as needed so that you can identify which switch and port it is connected to.

Once you have all of the software installed, I created a directory and shared it out called “Packet Captures” that I then mapped to my PC so that once I performed the capture I could quickly copy the capture to my PC for decoding.

My only frustration with Wireshark was that we were permanently wiring interfaces into dedicated SPAN ports on our switches and when you have 4 interfaces that all have descriptions of “Intel PRO 100/S NIC” its hard to remember where its hooked up to. I searched high and low trying to find a way to rename these so I could put in a description of which switch and port it was connected to. Finally, while I was doing the registry addition for VLAN tags I noticed that the description that “DriverDesc” had the same description that Wireshark (and for that matter CDPR) reported. A quick edit of that field and a reboot will change the value that’s displayed to anything that you want. You can find the key in:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}

Under this you will find several sub entries and you will need to figure out which interface goes to which entry and then name it.

That's it for this post, I hope somebody finds this helpful.

No comments: