Network Sniffer

[Tarrant64]

I'm looking for a solution to track incomming connection to a SQL server we have. There are changes being made that are causing problems. Pretty sure a hacker or something using update queries. Could possibly be comming from 'inside' our network though.

Looking for something that says what PC accessed this server and when. Any kind of logging will do. Also, nothing that will take any kind of performance hit on the network.


Thanks!

If this needs to be moved into software, please do so. I am assuming this is the right place as this is network related.

 

[nweaver]

there are MANY ways to do this. I would think the best is to use some sort of transaction logging on the DB itself. From the network side, Mirror the port, and attach a *nix box and run NTOP. A fairly recent version is available in the Ubuntu/Deb repos.

 

[Tarrant64]

Unfortunately the people I work for are pretty dead said on everything Windows.

 

[jlazzaro]

wireshark should also do the job.

 

[mxnerd]

Try OmniPeek Personal.

http://www.wildpackets.com/pro...peek/personal_overview

 

[robmurphy]

If you are on windows wireshark is free and will do the job.

If you search this forum for wireshark there is a thread which explains how I use it on windows, and avoid it crashing ect.

You will need a port setup on a switch to mirror traffic to/from the sql server. Provided the switch is up to the mirroring job then this should not affect the network.

If you do not have a mirror port then you will be stuck with capturing on the SQL server. Wireshark comes with a few command line utilities for this, so have a look at the html help files. Dumpcap and tshark are the ones to look at.

Rob

 

[nweaver]

The issue is that Wireshark is way to granular for what they need.

Ntop is perfect, it's not going to get to the granular level, but it will show connections/times/IP's etc at a much nicer level to detect who is accessing your server. You can install NTOP on windows, but iirc a precompiled binary costs money (Luca provides this and some support, iirc for a fee). If they are soo asanine about windows, that they won't let you stand up one linux box to do a job that it's better at, because they are too dumb to enable/parse SQL logs, then I'm sorry, but you work for a company of idiots. It's like a mechanic saying "We don't believe in 6 point sockets".

 

[mxnerd]

Yes, enabling SQL logs is better without using any sniffer.