How to implement full packet capture and Netflow at home

CyberCop123

I'm trying to learn more about my home network, identifying malicious IPs, looking at packets, in depth threat hunting and looking at protocols and headers, etc....

My questions is, I don't know where to start with trying to capture this and what equipment I need.

  

At present I have just a simple router/modem that was given to my by my ISP.  I guess I need either a tap, or something, or a switch with a SPAN port?

Can someone give me a very basic description of what type of equipment I will need?  Nothing too expensive, it's a simple home network.  I have a server so can store logs on there.  

cyberguypr

Check out https://securityonion.net/ 

CyberCop123

cyberguypr said:

Check out https://securityonion.net/ 

Hi Cyberguy, 

Yes I have that actually but not looked too much at it so far.  The SANS course I was on last week went into a lot of detail around Kibana which I know is contained with SecurityOnion.

My aim was to capture traffic across other parts of the network, not just my PC (where I run SO on a VM).

As an example, I ideally wanted to capture traffic from Netflix, my tablet, my phone, etc... and anything on the network.  So I am guessing I need something on the internet boundary to capture that and let traffic out...

I need to decide how much I want to invest in this, both time and effort.  It would be a good learning point, to treat my (fairly simple) home network as a test case.  To monitor traffic, capture HTTP headers, look at packets etc...

JDMurray

NetFlow (IPFIX , TNF, FNF, NSEL, CFLOW, etc.) is metadata generated by network midpoint devices (routers, switches, firewalls, etc.) for network interfaces used to direct network traffic. Typically, SOHO networking equipment is not given the capability of generating NetFlow metadata for packet traffic. This means that security monitoring software which requires NetFlow information (Zeek/Bro, RITA, StealthWatch, etc.) can't monitor traffic being directed by non-enterprise (read: cheaper) network devices.

JDMurray

As a network tap for a SOHO environment, I use a Netgear ProSafe GS105E managed switch as a man-in-the-middle between the ISP's router and the main switch. The ISP router is connected to NetGear port 1, the local switch is connected to Netgear port 2, a laptop used to monitor network traffic is connected to Netgear port 5, and the Netgear is configured to mirror traffic from port 1 to port 5. This is a sub-$50 solution for a SOHO-bandwidth network tap.

cyberguypr

My setup is similar to JD's. I have a TP-Link switch between my internal network and the modem. I span all traffic to one port that I feed to my Security Onion VM. 

c5rookie

I use a 1Gbps SharkTap which sits between my cable modem and router.  The downside with this setup is that all my devices get NAT'd by the Netgear router, so at the moment I am unable to quickly determine which device is actually sending/receiving the data I am collecting.  So I have to dig into the traffic and guess who's device I am actually seeing traffic from/to.  If anyone has proven solutions on how to identify the endpoints in the house (tablet, laptop, cell phone, etc.) that would be appreciated.

kaiju

The port mirroring setup instructions are found here if you are using a Linksys Gigabit device.

cyberguypr

c5rookie said:

I use a 1Gbps SharkTap which sits between my cable modem and router.  The downside with this setup is that all my devices get NAT'd by the Netgear router, so at the moment I am unable to quickly determine which device is actually sending/receiving the data I am collecting.  So I have to dig into the traffic and guess who's device I am actually seeing traffic from/to.  If anyone has proven solutions on how to identify the endpoints in the house (tablet, laptop, cell phone, etc.) that would be appreciated.

 Simple. You need to tap before the router.