How to setup a passive Point-to-Point Link for capture - Networking

This is a discussion on How to setup a passive Point-to-Point Link for capture - Networking ; Hi NG, for a custom application I am supposed to setup a passive capturing tool for traffic analysis purposes, using a tool similar to tcpdump (actually tcpdump is also used for troubleshooting). My network engineer has set up a tap ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: How to setup a passive Point-to-Point Link for capture

  1. How to setup a passive Point-to-Point Link for capture

    Hi NG,

    for a custom application I am supposed to setup a passive capturing
    tool for traffic analysis purposes, using a tool similar to tcpdump
    (actually tcpdump is also used for troubleshooting). My network
    engineer has set up a tap (or span) port from the switch, so the
    traffic to be captured is sent to a dedicated NIC.

    The network engineer told me that from a network perspective this is
    to be seen as a Layer 2 Point-to-Point link (which is not the same as
    PPP). Since I am very unfamiliar about this setup - I have never done
    something similar before - and all the search results I have seen so
    far are either about PPP or Point-to-Point links, I want to know how
    this looks like from a Linux perspective.

    Especially:
    * Do I need an IP address for that NIC? - Since there is actually no
    traffic for my capturing host going in through that NIC, I don't think
    so, but then all the examples I have seen tell something different.
    Traffic is unidirectional.
    * Is there anything other special I need to obeye? - My capturing host
    must not respond to any traffic going in that NIC.

    I am using RHEL 4 Upgrade 4 (AFAIK for the upgrade level).

    Thanks for any hints and best regards,
    Franz


  2. Re: How to setup a passive Point-to-Point Link for capture

    On Feb 6, 6:01 pm, fprilme...@amadeus.com wrote:
    > Hi NG,
    >
    > for a custom application I am supposed to setup a passive capturing
    > tool for traffic analysis purposes, using a tool similar to tcpdump
    > (actually tcpdump is also used for troubleshooting). My network
    > engineer has set up a tap (or span) port from the switch, so the
    > traffic to be captured is sent to a dedicated NIC.
    >
    > The network engineer told me that from a network perspective this is
    > to be seen as a Layer 2 Point-to-Point link (which is not the same as
    > PPP). Since I am very unfamiliar about this setup - I have never done
    > something similar before - and all the search results I have seen so
    > far are either about PPP or Point-to-Point links, I want to know how
    > this looks like from a Linux perspective.
    >
    > Especially:
    > * Do I need an IP address for that NIC? - Since there is actually no
    > traffic for my capturing host going in through that NIC, I don't think
    > so, but then all the examples I have seen tell something different.
    > Traffic is unidirectional.
    > * Is there anything other special I need to obeye? - My capturing host
    > must not respond to any traffic going in that NIC.


    Make sure your interface is set to promisc:

    ifconfig etho promisc

    This allows tcpdump to capture ALL packets regardless of subnet.

    Other than that turn off all unnecessary daemons/services on you
    capture host if you don't want it to respond to anything. You may even
    want to turn off ping response:

    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

    If you're really paranoid, install a firewall and block all outgoing
    traffic.


+ Reply to Thread