Nag.,
I think Guy has pretty much filled you in on the Remote Capture interface. The reality is that if your users do have admin rights to a machine then they can do pretty much anything they like. While you could make the Remote Packet Capture Service only runnable by certain users, you would need to make sure that no user can "trump" those change with Admin rights.
(And of course you allow users to physical have access to machines (and don't lock down the BIOS, USB ports, etc), they can pretty much boot up anything they like.
Usually many such security issues are better solved through human security controls (telling people to not do the wrong thing if they want to keep their job) then onerous technical measures.
Regards, Martin
MartinVisser99@xxxxxxxxx
On Wed, Jun 16, 2010 at 3:01 PM, Maynard, Chris
<Christopher.Maynard@xxxxxxxxx> wrote:
I was confused by the question too, but if I focus
only on the question asked, namely, "Is there a way
to capture packets from/to a selected list of IP address on a
LAN?", then the answer is yes.
First you
must set things up so the machine doing the capturing has access to the
packets of interest. This may involve adding a
hub, enabling port mirroring on a switch, etc. See http://wiki.wireshark.org/CaptureSetup for
more information.
And second, you must use an appropriate capture filter. For example, if you want to
capture all packets sent from/to 2 hosts (assume IP addresses IP1 and IP2),
to any other host then you might use the following capture filter to accomplish
this: "host IP1 or host IP2". If you only want to see packets sent between
those 2 hosts, then you would use, "host IP1 and host IP2". See http://wiki.wireshark.org/CaptureFilters for
more information on capture
filters.
Now if you want to "restrict the
packet capturing to a set of machines ...", then
that's a different problem to solve.
- Chris
Sent: Tuesday, June 15, 2010 8:57 PM
To: Community
support list for Wireshark
Subject: Re: [Wireshark-users] Secured way
of using Wireshark
Nag,
I'm not sure what you mean by your question. Capturing
packets is for the most part passive, in that you are saving packets to a file
for viewing. Wireshark does not propagate packets to the rest of the network, no
matter how virus laden they are. (Certainly as long as those packets are not
specially crafted to maybe exploit a vulnerability in wireshark itself, which
while it ihas been done, is very very rarely actually seen in the wild).
Regards, Martin
MartinVisser99@xxxxxxxxx
On Tue, Jun 15, 2010 at 6:55 PM, Nagendrababu Maseedu
<Nagendra.Babu.Maseedu@xxxxxxxxxxxxx>
wrote:
Hi,
Is there a way to capture packets
from/to a selected list of IP address on a LAN?
The need is to restrict the packet
capturing to a set of machines so that security breach does not happen on
other machines on the same network.
Please let me know if you have any
other mechanism to satisfy this need.
Kind regards,
Nag.
NOTICE: The information contained in this
electronic mail transmission is intended by Convergys Corporation for the use
of the named individual or entity to which it is directed and may contain
information that is privileged or otherwise confidential. If you have received
this electronic mail transmission in error, please delete it from your system
without copying or forwarding it, and notify the sender of the error by reply
email or by telephone (collect), so that the sender's address records can be
corrected.
___________________________________________________________________________
Sent
via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:
http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
