Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Apr 2017
    Posts
    5

    Default Want to sniff all traffic - Interface configuration

    I realize this is a very niche situation, but I'm looking to install RockNSM as a VM within my network. What I'd like to be able to do is set one of the interfaces on Untangle to mirror all traffic that goes through it. I'd then plug that interface in directly to the RockNSM host, in order to sniff, pcap, and log all traffic that passes through Untangle.

    I have 3 interfaces currently configured: External (WAN), Internal (LAN, for non-lab devices), and Lab (many physical and virtual hosts, only active when being used). Both the Internal and Lab networks live on separate switches, so I'd have to set span ports on both switches if I wanted to sniff them, and I don't have enough NICs. Even then, I wouldn't be able to sniff what is coming in on the External interface that Untangle is blocking, and even though I know it's ridiculous, I want to have visualization on that.

    Does anyone know how I can set an interface within Untangle to act as a mirror or span port for multiple networks?

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    No - you'll need to use a switch with a span port.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Apr 2017
    Posts
    5

    Default

    Okay...so let's say I buy a 4-port NIC for my host. One port for internal, one port for lab...how do I get a mirror for External? Currently, the modem directly connects into the WAN/External interface. What is my solution to this, as far as Untangle is concerned?

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    Plug it in between external and the modem.
    I've never seen a 4-port switch with a span port though.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Apr 2017
    Posts
    5

    Default

    Yeah, that's the concern I'm having. So as far as you know, untangle has no features that allow mirroring or port spanning of traffic to an external IDS/IPS, or even a simple pcap?

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    you can take a pcap in network troubleshooting.

    Also its just linux - you can do whatever you want technically.
    I will advise you that port mirroring and bridging are not even close to being the same thing, regardless of what you read.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Apr 2017
    Posts
    5

    Default

    Yeah...that's not a real pcap, at least not without user interaction to push the "export" button. It shows source and destination, and size of the packet. A true pcap contains the content of each packet, not the just the metadata about it. I suppose that's outside of the topic though.

    With a good part of the industry looking towards tools such as Splunk, Snort, Bro, RockNSM, ELK and other tools to organize, visualize, and store network transactions, what is Untangle doing to support this movement? How difficult would it to be to add in the option in the Network/Interfaces tab to set up a port to mirror traffic, even for just a single interface? I definitely understand bridging is not the same as mirroring, but bridging is the only thing that Untangle enables. Is this a practical requirement, or is it not something that could be developed/implemented within the Untangle operating system?

    I also do understand that Untangle has applications for IDS/IPS, flow control, and more. And that's great, seriously. But in the environments I work in, we are looking for a more holistic view of what is happening, outside of the control of any given application on our network. Full, rolling pcap analysis is becoming more common, thanks to tools like Moloch, Kibana 6, Google Stenographer, etc.

    I came close to deleting all of this, just so you are aware. I realized that 90% of the information I want will have to be obtained from span ports on the internal switches of my two networks. I guess all I can ask is that a mirroring capability be considered for interfaces within the Untangle webGUI, but I completely understand that it is likely a low priority considering the niche application of this.

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    The pcap is downloaded with the export button, its the same as produced by tcpdump (actually it *is* produced by tcpdump).

    Untangle already has extensive logging of network traffic, thats half of the point of installing Untangle. This is from in-line reconstruction not out-of-line so it includes the ability to SSL inspect and block/throttle. (It also already includes snort.)
    If you want to use something else on a mirror port, go for it. I'm not saying you shouldn't. I don't know any organizations who run Bro and Splunk and logstash w/ elastic search and yet don't have (and also can't afford) a managed switch, much less runs on a 4 port switch.

    Depending on your needs netflow also may be a good option.

    If you're just experimenting with open source projects, just run them on Untangle - its just linux. Just beware that we can't "support" you if you run weird stuff on your Untangle. You can even add your own iptables rules to TEE traffic to your logging box.
    Last edited by dmorris; 12-06-2017 at 10:29 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,079

    Default

    Netgear GS105e

    Have one in my pack with all my other stuff.

  10. #10
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    Quote Originally Posted by fasttech View Post
    Netgear GS105e

    Have one in my pack with all my other stuff.
    indeed!
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2