Firewall Wizards mailing list archives

Re: tcpdump installation on unix firewall?

From: Woody Weaver <woody () wiltelnsi com>
Date: Thu, 02 Sep 1999 09:43:24 -0700

At 09:16 AM 8/31/99 -0500, Lance Spitzner wrote:

On Fri, 27 Aug 1999, Robert Graham wrote:

First, I am a big fan of using sniffers on the actual firewall for 
troubleshooting
purposes.  I personally believe the benefits for troubleshooting far outweigh
the risks.  

With FW-1, sniffers capture the packets BEFORE the FW-1 filter inspects the 
packets,
regardless if it drops/rejects/accept etc.  This way you can compare what 
packets
are actually going through the box to what the FW sees in its logs.  This has
proven invaluable to me in numerous troubleshooting scenarios.


Just as important, the sniffer sees the packet dropped on the wire *after*
fwd is done with it.  This helps to identify misrouted packets, packets
dropped that aren't logged, etc.  "snoop -d <interface>" (running in its
own xwindow titled <interface>) is of invaluable help in setting up the
firewall for the first time.

--woody


Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

Current thread:

RE: tcpdump installation on unix firewall? Lee (Lockdown) Hughes (Sep 01)
- <Possible follow-ups>
- RE: tcpdump installation on unix firewall? LeGrow, Matt (Sep 06)
- Re: tcpdump installation on unix firewall? Woody Weaver (Sep 07)
- RE: tcpdump installation on unix firewall? Ryan Russell (Sep 07)