RE: tcpdump installation on unix firewall?

[jan.schultheiss () ubs com]

Hi Andreas

> Hi fw-wizards
>
> Do you consider it an utterly bad idea to install a packet 
> sniffer on a firewall. (HP box running FW-1).
> Why would I want to do this?
> Perhaps you know this already: If sth. is not working it's 
> either the firewall or the network.

You mentioned the reason by yourself. To check whether something is going 
through the firewall
or if there is something unusual going on. Usually the firewall gets blamed for 
every client/server
application which is not working so you definitely need to prove that the 
firewall is
not the cause for the malfunction.

> I need a tool to proove what's going on... Badly performing 
> server, find out what normal traffic is for an application 
> (data volume, traffic profile for one request....) and more 
> of this kind. 
>
> Is there anybody out there... doing this?

tcpdump or snoop usually requires root privileges. Once somebody has got access 
to your
firewall and has managed to become root you actually already lost the game.

> Does it interfere with the FW-1 software?

It does not with Solaris. However be sure to check in which order the software 
operates.
On a Solaris box you see the packets with the snoop command although the 
firewall-1 software will
not let them through. Once you see the packets with snoop you need to check the 
firewall logs to
see whether the firewall has passed the packets or not.

Best regards
Jan