[AusNOG] Interception Questions

Ben B bb.ausnog at bb.cactii.net
Fri Jul 21 18:49:00 EST 2006

Skeeve Stevens <skeeve at skeeve.org> uttered the following thing:
> 	Presently we're looking at mirroring switch ports and taking that
> into a Linux box/laptop/etc to be collected by TCPDump or some such.  Is
> that all they need to be able to get what they want?  There are programs
> like VoIPong which can record VoIP calls in raw format, but I'm not sure if
> they want us to go to that extend.

I would expect that any LEA worth their salt would want the data in the
most uncut, raw format they can get, to assist any forensics. In which 
case, a tcpdump (remembering a large enough value to '-s') should suffice.

For the beez-knees of LI that maintains separation from your regular
operations, optical splitters on your fibre uplinks are the way to go,
including a switch that can perform L3 filtering (eg C3750). It also
means that taps which have been placed are only visible to 'approved'
individuals instead of your whole engineering group.

Where I am, we have a (legally required) system built around PKI for 
authenticated taps to be placed by the LEA itself, and the raw data 
is delivered to them in real-time.

YMMVDOB (DOB = depending on budget)


More information about the AusNOG mailing list