How to implement full packet capture and Netflow at home

CyberCop123CyberCop123 Senior MemberPosts: 325Member ■■■■□□□□□□
I'm trying to learn more about my home network, identifying malicious IPs, looking at packets, in depth threat hunting and looking at protocols and headers, etc....

My questions is, I don't know where to start with trying to capture this and what equipment I need.

  
At present I have just a simple router/modem that was given to my by my ISP.  I guess I need either a tap, or something, or a switch with a SPAN port?

Can someone give me a very basic description of what type of equipment I will need?  Nothing too expensive, it's a simple home network.  I have a server so can store logs on there.  
My Aims
2017: OSCP -
COMPLETED
2018: CISSP -
COMPLETED
2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
COMPLETED
           GIAC GREM - Reverse Engineering of Malware -
IN PROGRESS

2020: MCSA, OSCE

Comments

  • cyberguyprcyberguypr Senior Member Posts: 6,786Mod Mod
  • CyberCop123CyberCop123 Senior Member Posts: 325Member ■■■■□□□□□□

    Hi Cyberguy, 

    Yes I have that actually but not looked too much at it so far.  The SANS course I was on last week went into a lot of detail around Kibana which I know is contained with SecurityOnion.

    My aim was to capture traffic across other parts of the network, not just my PC (where I run SO on a VM).

    As an example, I ideally wanted to capture traffic from Netflix, my tablet, my phone, etc... and anything on the network.  So I am guessing I need something on the internet boundary to capture that and let traffic out...

    I need to decide how much I want to invest in this, both time and effort.  It would be a good learning point, to treat my (fairly simple) home network as a test case.  To monitor traffic, capture HTTP headers, look at packets etc...
    My Aims
    2017: OSCP -
    COMPLETED
    2018: CISSP -
    COMPLETED
    2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting -
    COMPLETED
               GIAC GREM - Reverse Engineering of Malware -
    IN PROGRESS

    2020: MCSA, OSCE
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,341Admin Admin
    edited January 21
    NetFlow (IPFIX , TNF, FNF, NSEL, CFLOW, etc.) is metadata generated by network midpoint devices (routers, switches, firewalls, etc.) for network interfaces used to direct network traffic. Typically, SOHO networking equipment is not given the capability of generating NetFlow metadata for packet traffic. This means that security monitoring software which requires NetFlow information (Zeek/Bro, RITA, StealthWatch, etc.) can't monitor traffic being directed by non-enterprise (read: cheaper) network devices.
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,341Admin Admin
    edited January 21
    As a network tap for a SOHO environment, I use a Netgear ProSafe GS105E managed switch as a man-in-the-middle between the ISP's router and the main switch. The ISP router is connected to NetGear port 1, the local switch is connected to Netgear port 2, a laptop used to monitor network traffic is connected to Netgear port 5, and the Netgear is configured to mirror traffic from port 1 to port 5. This is a sub-$50 solution for a SOHO-bandwidth network tap.
  • cyberguyprcyberguypr Senior Member Posts: 6,786Mod Mod
    My setup is similar to JD's. I have a TP-Link switch between my internal network and the modem. I span all traffic to one port that I feed to my Security Onion VM. 
  • c5rookiec5rookie CISSP, CCNA CyberOps/Wireless, GCED, GCIA, GCIH, GCUX, GCWN, GPEN, A+, Network+, Security+, Linux+, U.S.Posts: 34Member ■■■□□□□□□□
    I use a 1Gbps SharkTap which sits between my cable modem and router.  The downside with this setup is that all my devices get NAT'd by the Netgear router, so at the moment I am unable to quickly determine which device is actually sending/receiving the data I am collecting.  So I have to dig into the traffic and guess who's device I am actually seeing traffic from/to.  If anyone has proven solutions on how to identify the endpoints in the house (tablet, laptop, cell phone, etc.) that would be appreciated.
  • kaijukaiju Posts: 392Member ■■■■■■□□□□
    The port mirroring setup instructions are found here if you are using a Linksys Gigabit device.
    Work smarter NOT harder! Semper Gumby!
  • cyberguyprcyberguypr Senior Member Posts: 6,786Mod Mod
    edited January 22
    c5rookie said:
    I use a 1Gbps SharkTap which sits between my cable modem and router.  The downside with this setup is that all my devices get NAT'd by the Netgear router, so at the moment I am unable to quickly determine which device is actually sending/receiving the data I am collecting.  So I have to dig into the traffic and guess who's device I am actually seeing traffic from/to.  If anyone has proven solutions on how to identify the endpoints in the house (tablet, laptop, cell phone, etc.) that would be appreciated.

     Simple. You need to tap before the router.
Sign In or Register to comment.