-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 08 October 2002 10:32, [EMAIL PROTECTED] wrote: > Newbie to the World of TCPDUMP. > > I am running Snort IDS. > I have recently been interested in also logging ALL traffic that comes > in/out my network via TCPDUMP (ip headers atleast). > This is really for the purpose of Forensics etc etc and would be cool to > zip up and store away. > > In the future I would also like to install SHADOW at some point to run > these dumps for anomalies. > > However, the amount of data is silly !! > 200 MB per HOUR !! This is far too much data to log and store away ? > > My question being .... > Does anyone log ALL IP Headers IN+OUT of there Networks ? > Should we be doing this ? Is it a good idea to take this approach ? > Any ideas suggestions would be appreciated.
Realistically, it's impossible to analyze such amounts of data, even if that was your sole task all day long. So unless you're a security/military institution that has the paranoia and cash to maintain such logs, I see little point in doing it. What *does* have informational and instructional value, is selectively analyzing data exchanged under known conditions. Etc, if you want to check that your passwords are not sent in cleartext around the globe, run a sniffer while submitting them and then go through the packets one by one. Ethereal is very nice for this kind of deal. Otherwise, I don't see any point in logging tons of data and mechanically storing them away. - -A - -- http://www.andrew.cmu.edu/~apapadop/pub_key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9o0mTgmAMwQt1gmURApWGAJwOmKkV7EEck/2trzEyteh8Ty+uhwCfW7c/ mVDWngeeLao1MNgu8WpZgUw= =gEdW -----END PGP SIGNATURE-----