Help us out readers: How would you sniff and store network traffic?

You can only sniff broadcast traffic (software such as Wireshark) on your own layer 2 or traffic passing across the sniffer's NIC (s).

Remember the numerous suggestions you've obviously ignored about using a caching proxy? A chimp could setup smoothwall. It runs nicely on any old Pc with 2 network cards (and runs well in virtualbox). All you need is a PC with 2 network cards.

I know you said "...Installing a server to do the sniffing probably isn't an option..." so I'm going to take the 'probably' bit and run with it. Also, in the time it takes me to type this up ninety-eleven other people are bound to have said the same thing.

I think this is probably exactly the kind of thing a Raspberry Pi running Wireshark would excel at. It'd allow you to SSH in to SCP the dump files for analysis, it's small with low power requirements and importantly it's very low cost.

It's true though that if you wanted to capture ALL traffic on the local layer 2 segment then you'd have to have (as I understand it) a switch that can mirror traffic from other ports to the one the Pi is attached to otherwise all you'll be able to pick up is broadcast traffic. Also, with regard to inbound and outbound traffic you'd need to find a way to use the Pi as a router and pass the out/in bound traffic over NICs attached to it which would mean using a USB to Ethernet adapter and I have no experience using one of them with a Pi.

I will go with Woodgie's comment about still going to site but with different gear. I say this as putting together a full report of all applications in use from a wireshark capture will take longer than 2 days and that is after you have pulled all the capture files back over the slow link that along might take more than the 2 days depending on the depth of capture and amount of local traffic.

Ask Palo Alto network for a demo unit to trial on your network to see what applications are in use. You then get a report from the box and Palo Alto will also generate a nice PDF report for you detailing all the info. You might have to swing a few sentences about the job as this is normally for lead generating in the sales team. But you may even swing it for a Reg review.

Or even better if the links are slow you can just purchase a PA200 unit and leave it there gaining all the features it provides. (they are pretty low cost)

Installing it is just a simple power and connect network in and network out running in wire-tap mode with allow all rule (default from factory); so you could freight it there and talk someone through it with some photo's (assuming video calling is out of the question).

no I'm not an employee just a happy customer.

"Are there other requirements we've overlooked?"

Yep. You are missing a cognizant engineer who understands both networking & system security. Until you have that, you are spinning your wheels. There are no substitutes for proper education in any given field (which surely you are aiming for overall?).

TCPdump

If you're running a Linux based wifi router, tcpdump might be available on the router, which would be ideal. Otherwise, run it on the problem PC and log the results to text file.

You didn't mention whether this was for long term analysis or troubleshooting, so it's difficult to say how much storage you'll need, but tcpdump is pretty efficient and by generating text files, compression will work well. You can also filter very efficiently with tcpdump to minimise the volume of data you are storing.

Start simple

"the Learning Centre's WLAN and satellite WAN are both slow"

Latency will be the killer for the satellite WAN and some of this may be reflected in the local WLAN performance if 'local' requests are making it out local environment. DNS would be one candidate I guess.

So start by understanding what traffic is going through the satellite gateway, no need to sniff the traffic yet, just get connection logs if possible from the device itself, this should give you a good idea of what is going on with just src/dest ip and ports.

How you do this will depend on the capabilities of the gateway, best case is very careful use of remote administration access or using the VNC capabilities to get internal administration access otherwise you are facing big time latency - two day round-trip.

What about the option of something on the other side of the WAN link? Can you arrange to pay for a service at the ISP to provide more detailed usage statistics? A transparent proxy might do the trick.

That is, assuming the WAN traffic is what you're interested in. If it's LAN, then you probably need a router with flow features (e.g. Cisco NetFlow) and the respective flow-analyzer. As a 'simpler' version, you could implement a device with ACL's that logged packet counts against 'allow' rules.

Is the switch managed?

Is the switch a managed one - one with some sort of administration interface - where you could mirror all the traffic to a given port (also called span port or the like)?

If so you can setup one of the PC (even remotely) to capture traffic during a given period (that should representative of the traffic), and everything will happen at the remote site.

If PC are Windows one, you can use WinPCap + Wireshark (command line tools available), Microsoft Netowrk Monitor or any other tool to capture and then analyze the traffic. Wireshark works on Linux too, but there are other tools as well.

You could also set filters on both capture and analysis phase to see only the outgoing traffic ignoring the LAN one, and then maybe have scripts uploading you files when there is little use of the network, i.e. at night.

If the switch isn't managed, it's much more difficult - you'd need to install additional hardware to intercept the traffic you need to analyze. An hub between the router and the switch (if neither can deliver traffic to another device) can be used to capture the traffic between the devices, but a PC needs to be connected to hub to receive traffic. Inspecting traffic among PCs may be harder, though.

span port or inline will be needed

If you cannot see all the traffic betwixt switch and satellite you're buggered.

Use ntop to see all traffic once you can plug in to a spanned port or better yet between the two.

If you can put something between the two have it cache web traffic as a pass through.

Ntop is web based so light.

Any crappy old PC can run it.

If you can get hold of smooth wall with proxy you should be right.

MikroTik SwOS devices appear to offer port mirroring, and are cheap.

Combine with NtopNG running on raspberry pi perhaps to get overview of what is being sent and received in real time?

I would start with opendns to see what traffic they are using, pretty easy and cloud based

sniffing locally only after you you figure out what you want to monitor on the local network

You have a PhD from Batchelor, or a Bach from Masters?

I have a Bachelor, from Batchelor, and a Masters from Masters. Where do you think I should do a PhD?

Over engineering? Perhaps a low tech solution?

While there are some excellent suggestions above which will fulfill your requirement, as you do not state the reason for need I would suggest a simple keylogger on each machine will enable you to analyse traffic to your hearts content.

I'm with HKmk23... kinda

From my experience, i think it is pointless to analyse traffic anywhere on the network except at the gateway, mainly because that is where you'll see simultaneous hits on the bandwidth.

if you're looking for a per pc analysis, I'd go with a simple software install, something a little more sophisticated than a keylogger, something like eblaster for instance, which will generate your traffic reports by email on a remotely configurable schedule

how about something a little more elegant, install Oracle Virtual Box or similar onto one of the machines, and install Kali Linux.

Once running you could ssh into it and even give it it's own IP.

It has tools that can Monitor and Scan all manner of Connections.

Or if you had a machine you could put as a potential firewall then you could always install a copy of the FREE firewall software Untangle.