Sorry to bump-up the topic, but maybe better than establishing new one
We were recently contacted by one criminal investigation agency, and they want us to cooperate upon catching some criminal activity from our network. Surely we want to cooperate
I tried many things, but I am not sure I am getting expected result. I work with WireShark and I know basic stuff about it. Then I think I know at least basic stuff about MT, but ... this aproach either does not work at all, or I am completly dumb
(which might be the case
1) I can choose two adresses, and here comes my issue with MT docs. Sorry but stating "criterion of choosing the packets to process" is like actually stating nothing usefull. So - what is the relation of address1 and address2? Is it like src, dst? So if I want to stream whole traffic coming to/from one concrete IP address, do I fill in that ip adress in address1 field, and the second one stays with 0.0.0.0/0, or? I surely don't want to use 0.0.0.0/0 everywhere, which would imo redirect whole 50mbit traffic?
2) I went to WireShark, set-up logging to files, disabled WCCP as suggested, but I am still not sure I am receiving streamed content. What should I state in the capture filter (tcpdump) filter field of WireShark? "udp"? "host mt.ip.here"?, "host intruder.ip.here"? or? What I want to get into WireShark is actually raw packets of indruder to/from communication.
I think that if I don't get it working, I will have to find some old hub to put WireShark PC onto the same cable as main router is, and use tcpdump direct host filtering ...
Thanks for eventual help!