This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

domains are changing, firewalls are going up. can wireshark help me see the issues before?

0

company A is splitting. there are 10 thousand plus servers. i need a valid way to see the communication between them that exists currently and the current ports they use. is that possible?

asked 13 May '15, 11:28

youngandpoor's gravatar image

youngandpoor
6112
accept rate: 0%


2 Answers:

2

there are 10 thousand plus servers. i need a valid way to see the communication between them

Wow, nice little project.

Now, I'm going to tell you something you certainly don't want to hear. Really NO offense, just an attempt to "adjust" your expectations regarding the way you are going to handle this massive project ;-))

So, here we go ....

Based on your questions/comments about Packet capturing, Wireshark and Netflow, it looks like you don't have much experience with networking stuff, or at least not with the things mentioned. As I said: No offense, just a diagnosis! Please correct me if I'm wrong.

Now, you are trying to figure out the communication matrix of > 10.000 servers. I strongly recommend to get a team of professionals on board, with decent experience in networking, firewalling and similar migration projects. If you try to do this yourself with Wireshark, you're going to get into real deep trouble!

Things to consider:

  • Conversation matrix between clients and servers
  • Conversation matrix servers and servers
  • Conversation matrix servers and external systems
  • Conversation matrix servers and other internal systems (not servers - like printers, etc.)
  • How do clients/systems access other systems. Primarily via direct IP access (configured on the system) or via DNS?
  • Will you have to assign new IP addresses to some of the servers after the split

It's by no means easy to figure out all that stuff for > 10.000 server, plus a considerable amount of clients.

What you can do, and what has been mentioned already:

  • Capture traffic at certain points in your network, where all communication has to pass by, like core switches/routers
  • Capture the traffic in front of the servers
  • etc.

These methods will require TAPs or a Switches with port mirroring, which are both challenges for themselves in a scenario like yours, let alone the massive amount of data you will get with that approach.

So, honestly: FORGET about the approach "Let's capture the whole traffic and generate a communication matrix based on that information". That's simply not going to work at a scale like this, unless you are willing to invest a huge amount of money and man power to install several hundred (or even several thousand) capture devices plus a system that is able to handle the huge amount of data.

What else can you do?

  • enable Netflow, Sflow, Jflow, WhateverFlow your switches and router do support

Depending on the Flow collection method (Sampling yes/no), you will get a better or worse idea about the communication matrix of your systems.

Caveats are:

  • you will have routers/switches that don't support any form of Flow collection
  • you will have routers/switches that only support Flow sampling, which does not give you exact data, just a (more or less) rough distribution of the traffic
  • you will need a massive system that is able to handle the amount of flows per second coming in from the whole network. Such systems do exist but they cost a fortune.
  • you will still have to create the firewall rules based on that data set manually, because only few systems will do this for you autmatically, if they exist at all.

What else can you do?

You could install a firewall in bridge mode, allow everything and log everything for a couple of weeks and then build a rough ruleset based on the logs. That's possible with scripting and I have done it that way, but not with an environment consisting of > 10.000 servers and possibly even many more clients.

Summary: So again, you should hire a team of professionals with a lot of experience to get this job done. It's impossible to do this with "a bit of sniffing" with Wireshark! ;-)

Hope this helps.

Regards
Kurt

answered 15 May '15, 03:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 15 May '15, 04:56

0

Yes, it could if you have capture spots in each and every location (which you probably don't). I'd try to get NetFlow data from routers/switches instead, which is much more helpful, because it is just metadata for all the communication flows.

answered 13 May '15, 11:55

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

is netflow only available for cisco routers? will netflow produce port info? i want to see the traffic in the current state. what do you mean by capture spots? i may or may not know source and destination.

thank you!

(13 May '15, 12:10) youngandpoor

any ideas fellows?

(14 May '15, 07:29) youngandpoor

As Jasper said, to capture traffic between servers, you will need capture points, e.g. mirrored or span ports at each switch that passes traffic. Likely a big task.

Using Netflow, or non-Cisco similar, the routers\switches send your flow collectors the metadata, e.g. source, dest ip and ports which you can then analyze. Much easier if your routers\switches can produce the flow data.

(14 May '15, 07:45) grahamb ♦