• Support
  • Forums
  • Blogs

Full packet capture

AsterixAsterix

Entry Level
Hi I was looking at the packet capture solution in OSSIM, Is this just TCPdump for a very limited time window? We are looking for constant packet capture (Full packet capture) as Netflow does not provide enough accountability for us, in the same way as other open source FPC solutions (Moloch or Packetloop), is this not included in the product? any plans?
Tagged:

Share post:

Best Answer

  • Answer ✓
    Nobody else have this challenge?
    Yes, I've got the same issue in the past.
    And here is what I did.

    1. I've redirected all the incomming/ougoing traffic of our company to an OSSIM sensor.
    2. On this sensor I keep about 80Gb of packet capture traffic using the following command:
    tcpdump -i eth0 -C300 -W266 -w trace.pcap &

    This will keep 266 packet capture files of 300M each. (trace.pcap001, trace.pcap002, and so one)

    I hope that will help.
    cmdex

Answers

  • Nobody else have this challenge?
  • The functionality there is for troubleshooting and forensics. You could in theory do a rolling pcap with tcpdump, but setting up something like Moloch would have a far better ROI for you. Just remember you'll need quite a bit of disk space for FPC.
  • Yep, that's a rolling pcap right there. Just make sure you have the disk space.
  • OK, thanks for the responses, I't nice to know what there is some functionality for this but it does sound very manual and not that scale-able for enterprise use.

    As FPC is very resource intensive as well, i guess our usage would be best as a standalone image (moloch/openfpc/packetpig) on another physical disk to overcome limitations of disk I/O etc.

    /Asterix
This discussion has been closed.