| View previous topic :: View next topic |
| Author |
Message |
simulacrum
Tux's lil' helper
Joined: 30 Nov 2002
Posts: 128
Location: St Paul, MN
|
 Posted: Thu Aug 04, 2005 3:12 am Post subject: Sniffing router traffic |
 |
|
I have a Linksys WRT54G wireless router, running the Sveasoft firmware. I'd like a way to dump the network traffic for other machines on the network. tcpdump/ngrep only sees traffic for the machine it's running on and broadcasts from other machines.
I assume this is because the router is routing traffic for each machine and not allowing the other machines to see it. Is there a way to change the routing so that only my machine can see all the traffic on the router? The sveasoft firmware gives me console access to the router so I'm able to put in any iptables rules I'd like, but don't know how to accomplish what I'm trying to do. Any help would be appreciated, thanks. |
|
| Back to top |
|
 |
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Thu Aug 04, 2005 11:38 am Post subject: Re: Sniffing router traffic |
|
|
| simulacrum wrote: | I have a Linksys WRT54G wireless router, running the Sveasoft firmware. I'd like a way to dump the network traffic for other machines on the network. tcpdump/ngrep only sees traffic for the machine it's running on and broadcasts from other machines.
I assume this is because the router is routing traffic for each machine and not allowing the other machines to see it. |
That is pretty much a universal effect of using a router, yes.
| simulacrum wrote: | | Is there a way to change the routing so that only my machine can see all the traffic on the router? |
Not really, no - the whole point of a router is to divide traffic between separate ports.
| simulacrum wrote: | | The sveasoft firmware gives me console access to the router so I'm able to put in any iptables rules I'd like, but don't know how to accomplish what I'm trying to do. Any help would be appreciated, thanks. |
If you are talking about true Linux iptables here then you can probably do some nasty tricks with the mangle table, but if you have an old Pentium lying around it would be far easier to insert it between the router and the modem and bridge the interfaces together. Run a packet sniffer / logger on it and connect a third interface back to your LAN.
The processing and storage can happen anywhere, so the intercepting box need not be all that fast.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
ter_roshak
Apprentice
Joined: 31 Jan 2004
Posts: 171
Location: Everett, WA
|
| Posted: Thu Aug 04, 2005 12:24 pm Post subject: Re: Sniffing router traffic |
|
|
| simulacrum wrote: | I have a Linksys WRT54G wireless router, running the Sveasoft firmware. I'd like a way to dump the network traffic for other machines on the network. tcpdump/ngrep only sees traffic for the machine it's running on and broadcasts from other machines.
I assume this is because the router is routing traffic for each machine and not allowing the other machines to see it. Is there a way to change the routing so that only my machine can see all the traffic on the router? The sveasoft firmware gives me console access to the router so I'm able to put in any iptables rules I'd like, but don't know how to accomplish what I'm trying to do. Any help would be appreciated, thanks. |
Another option would be to perform a man-in-the-middle attack on your router and the machines that you want to get the traffic from. A couple of good tools for this are ettercap and dsniff. I wouldn't recommend trying this on any network but your own though.
_________________
Josh Miller -- RHCE, VCP
Ditree Consulting
http://ditree.com/
Registered Linux User #318200 |
|
| Back to top |
|
|
simulacrum
Tux's lil' helper
Joined: 30 Nov 2002
Posts: 128
Location: St Paul, MN
|
| Posted: Thu Aug 04, 2005 8:07 pm Post subject: |
|
|
| Quote: | | Another option would be to perform a man-in-the-middle attack on your router and the machines that you want to get the traffic from. A couple of good tools for this are ettercap and dsniff. I wouldn't recommend trying this on any network but your own though. |
Hey, that's something I hadn't considered. I'll give that a try tonight. Thanks! |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Thu Aug 04, 2005 8:26 pm Post subject: Re: Sniffing router traffic |
|
|
| ter_roshak wrote: | | Another option would be to perform a man-in-the-middle attack on your router and the machines that you want to get the traffic from. A couple of good tools for this are ettercap and dsniff. I wouldn't recommend trying this on any network but your own though. |
How is this another option than the transparent bridge I described ?
Calling it a man-in-the-middle attack is not really descriptive - it's not an attack.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
ter_roshak
Apprentice
Joined: 31 Jan 2004
Posts: 171
Location: Everett, WA
|
| Posted: Thu Aug 04, 2005 9:40 pm Post subject: Re: Sniffing router traffic |
|
|
| adaptr wrote: | | ter_roshak wrote: | | Another option would be to perform a man-in-the-middle attack on your router and the machines that you want to get the traffic from. A couple of good tools for this are ettercap and dsniff. I wouldn't recommend trying this on any network but your own though. |
How is this another option than the transparent bridge I described ?
Calling it a man-in-the-middle attack is not really descriptive - it's not an attack. |
This method of data interception is an attack, whether you attack your own network or not. This is an industry term.
Out of curiousity, what would you call it instead?
_________________
Josh Miller -- RHCE, VCP
Ditree Consulting
http://ditree.com/
Registered Linux User #318200 |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Fri Aug 05, 2005 9:18 am Post subject: |
|
|
Since the OP clearly describes being connected to a switch/router, the only way to sniff all traffic is to insert a transparent bridge between the router and the network.
There is no other way to capture all data.
It's called "sniffing".
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
ter_roshak
Apprentice
Joined: 31 Jan 2004
Posts: 171
Location: Everett, WA
|
| Posted: Fri Aug 05, 2005 12:20 pm Post subject: |
|
|
| adaptr wrote: | Since the OP clearly describes being connected to a switch/router, the only way to sniff all traffic is to insert a transparent bridge between the router and the network.
There is no other way to capture all data.
It's called "sniffing". |
We have a difference of opinion that cannot be resolved through this forum.
_________________
Josh Miller -- RHCE, VCP
Ditree Consulting
http://ditree.com/
Registered Linux User #318200 |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Fri Aug 05, 2005 12:40 pm Post subject: |
|
|
Agreed.
If there are no wired nodes on the LAN, reading through the various pieces of wardriving documentation could probably help the OP out.
(Wardriving = wireless AP sniffing)
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
bluedevils
Apprentice
Joined: 21 Jul 2004
Posts: 252
Location: Vancouver BC -> NYC, NY
|
| Posted: Fri Aug 05, 2005 5:48 pm Post subject: |
|
|
If the router has iptables, then it should be able to do logging. Most consumer routers I have seen will let you log to another machine (your gentoo box maybe?). Does you router have options to do that?
BTW I also think I saw (didn't click on it) a google search mentioning linux on the WRT54G. That might be an interesting subject to lookup. |
|
| Back to top |
|
|
darkphader
Veteran
Joined: 09 May 2002
Posts: 1225
Location: Motown
|
| Posted: Fri Aug 05, 2005 6:23 pm Post subject: |
|
|
The problem is inherent to the nature of a switch. Traffic isn't broadcast to all of the ports, only to the port leading to the destination. With a high-end managed switch one can usually make it act more like a hub in order to sniff packets of the other ports. In this case the easiest, cheapest workaround would be to go buy a cheap little hub (not a switch), which used to be common when switches were expensive but are a bit hard to find these days, and plug all of the devices into it.
_________________
WYSIWYG - What You See Is What You Grep |
|
| Back to top |
|
|
bluedevils
Apprentice
Joined: 21 Jul 2004
Posts: 252
Location: Vancouver BC -> NYC, NY
|
| Posted: Sat Aug 06, 2005 11:24 pm Post subject: |
|
|
but wouldn't the caveat be that
a) you still wouldn't get wireless traffic (I believe it is a wireless G router) and
b) you reduce the performance (unless there is only one computer attached) as a hub will bring the connection down to half duplex? |
|
| Back to top |
|
|
ter_roshak
Apprentice
Joined: 31 Jan 2004
Posts: 171
Location: Everett, WA
|
| Posted: Sun Aug 07, 2005 12:07 am Post subject: |
|
|
| bluedevils wrote: | but wouldn't the caveat be that
a) you still wouldn't get wireless traffic (I believe it is a wireless G router) and
b) you reduce the performance (unless there is only one computer attached) as a hub will bring the connection down to half duplex? |
That sounds right. Is the traffic wireless or a mixture or just wired?
_________________
Josh Miller -- RHCE, VCP
Ditree Consulting
http://ditree.com/
Registered Linux User #318200 |
|
| Back to top |
|
|
darkphader
Veteran
Joined: 09 May 2002
Posts: 1225
Location: Motown
|
| Posted: Sun Aug 07, 2005 1:10 am Post subject: |
|
|
| bluedevils wrote: | but wouldn't the caveat be that
a) you still wouldn't get wireless traffic (I believe it is a wireless G router) and
b) you reduce the performance (unless there is only one computer attached) as a hub will bring the connection down to half duplex? |
Mostly correct. But concerning part (b) it's not just that the connection is half-duplex but that you will encounter collisions if the systems are rather busy. But on a practical scale, unless you have a lot of traffic (not really that typical in a home lan) there will be no noticeable impact . And it will allow you to sniff all of the lan traffic (even that to/from the wireless devices), the only traffic not sniffed would be wireless-wireless and wireless-gateway traffic.
_________________
WYSIWYG - What You See Is What You Grep |
|
| Back to top |
|
|
simulacrum
Tux's lil' helper
Joined: 30 Nov 2002
Posts: 128
Location: St Paul, MN
|
| Posted: Tue Aug 09, 2005 5:05 pm Post subject: |
|
|
Well I did take a stab at the Man in the Middle attack, so far without success, but I haven't tried terribly hard (been busy lately). My desktop has a wired connection to the router. I want to sniff the wireless traffic on the same router. I can't seem to poison the arp cache of my victim, which thus far has been my laptop running Win2k. I need to get a tcpdump like utility on my laptop, but I think that my wired ports and wireless are two different lans that are bridged and that may have something to do with my problems.
To clarify my situation, I have a Linksys WRT54G wireless router. The router does run Linux, and I have a custom firmware to get access to a shell on it. I have limited command functionality, but one thing I do have access to is iptables. Thanks for the suggestions guys. |
|
| Back to top |
|
|
ter_roshak
Apprentice
Joined: 31 Jan 2004
Posts: 171
Location: Everett, WA
|
| Posted: Tue Aug 09, 2005 9:01 pm Post subject: |
|
|
| simulacrum wrote: | Well I did take a stab at the Man in the Middle attack, so far without success, but I haven't tried terribly hard (been busy lately). My desktop has a wired connection to the router. I want to sniff the wireless traffic on the same router. I can't seem to poison the arp cache of my victim, which thus far has been my laptop running Win2k. I need to get a tcpdump like utility on my laptop, but I think that my wired ports and wireless are two different lans that are bridged and that may have something to do with my problems.
To clarify my situation, I have a Linksys WRT54G wireless router. The router does run Linux, and I have a custom firmware to get access to a shell on it. I have limited command functionality, but one thing I do have access to is iptables. Thanks for the suggestions guys. |
Thanks for the update. Good luck on getting it to work.
_________________
Josh Miller -- RHCE, VCP
Ditree Consulting
http://ditree.com/
Registered Linux User #318200 |
|
| Back to top |
|
|
|
Networking & Security
