[clug] Interception

[Robert Edwards]

On 28/02/13 07:44, Adrian wrote:
> I would like to build a machine to intercept and record all IP network
> traffic. In my case, that which is passing to and from the Internet. I
> can physically place the box between the router and the network switch.
>
> What Linux distributions are best suited for this purpose? And what is
> the best tool to record record the data? The quantity will not be very
> great or fast, so recording disk capacity and speed are probably not an
> issue.
>
> I could probably do this myself but the collective knowledge of the
> community will probably provide me with a better result.
>
> Thanks
>
> Adrian
>
>
>

Depends upon what you mean by "all IP network traffic": do you mean:
  - every packet with all it's headers and data etc., or
  - each "flow" with it's size, time, src and dest, protocol etc., or
  - something else?

Also, depends what you mean by "intercept" - do you want real-time
deep packet inspection with filtering, or just intercept with the
intent of recording?

Either case, I personally would choose a Debian server as the router.

If you are just interested in recording the flows then use something
like argus (http://argus.tcp4me.com/):
apt-get install argus-server argus-client

If you want to intercept with the intent of blocking, then squid or
privoxy might be your friends for http, ftp etc. and you would need
other tools for other protocols. Eg. put in your own DNS server and
use iptables to force all your clients DNS requests to your server,
which can then log each request as well as providing alternates for
known-bad lookups.

If you want to grab all packets, data and all, then use tcpdump, as
has been suggested elsewhere, or use iptables to log everything.

Cheers,

Bob Edwards.