User Name
Password

Go Back   Planetarion Forums > Non Planetarion Discussions > Programming and Discussion

Reply
Thread Tools Display Modes
Unread 20 Apr 2004, 00:13   #1
meglamaniac
Born Sinful
 
meglamaniac's Avatar
 
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
"Bugging" a LAN/Internet gateway

I'm not asking about this for any particular purpose, i'm just sorta curious about this sort of thing.
Lets take the example of the network in my house - we have 9 personal computers, and 1 additional linux pc acting as a router (also providing various other services such as DHCP, but i don't think that should interfere).
The router has 2 NICs, which we'll use security terminology for and call Red and Green. Red is connected to the cable line. Green is connected to a switch, which in turn is connected to a second switch on another floor. Both switches also have PCs connected to them (obviously).

Say I wanted to scan all packets coming and going from the internet only, using another linux machine. Packet sniffing software obviously isn't a problem, no shortage of that about. However, we're using switches not hubs so I couldn't just plug it in anywhere and scan - the "bug" machine has to sit between the switch and the Green NIC on the router without interfering with the traffic in any way. I've thought of 2 ways round it, I just don't know if they would work.

1) Buy a cheap hub. It doesn't matter that the bandwidth on it would suck, because the only traffic going to and from the router is internet traffic (ie. 1Mbps max). Disconnect the cable from the Green NIC of the router and connect it to the hub. Run another cable from the hub to the router, and a third cable from the hub to the "bug". Since hubs broadcast (unlike switches), I think this should mean both machines recieve copies of packets destined for the internet, and ONLY packets destined for the internet, because the switch should only send packets for the router's IP (or the bug's IP, but no-one would know it) to the hub right? The bug should then happily be able to sniff everything coming through, passively, without altering the traffic at all.

2) Set up the bug with two NICs, and place it directly inline between the Green NIC of the router and the switch. The catch here is, the NICs cannot have IP addresses or that would interfere with traffic since packets would have to be readdressed. I *think* I remember reading somewhere that it is possible to run a NIC without an IP (non-promiscuous mode or something?), but is it then possible to copy everything it recieves to the other NIC and retransmit it down the line? If so, Is it possible to do any processing on packets (such as packet sniffing) while doing this? If I'm not talking crap and this is possible, it'd clearly be better since it requires less hardware and the bug itself is not visable to the other machines on the network as it has no IP; it just sits there more or less as part of the wire and processes things.
The only proviso would be making sure it had the resources to do the job, as this is active scanning not passive - so if it locked up the link from the switch to the router would be lost.

Hmmmmmm.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
meglamaniac is offline   Reply With Quote
Unread 20 Apr 2004, 00:54   #2
Pilatus
Registered User
 
Pilatus's Avatar
 
Join Date: Apr 2002
Location: Norway
Posts: 295
Pilatus has a spectacular aura aboutPilatus has a spectacular aura about
Re: "Bugging" a LAN/Internet gateway

I think the second solution would be possible if you set up bridging between the 2 nics on the PC between the router and the switch.
__________________
Except from being crazy, i'm a picture of good health.
Pilatus is offline   Reply With Quote
Unread 20 Apr 2004, 01:00   #3
meglamaniac
Born Sinful
 
meglamaniac's Avatar
 
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.meglamaniac has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: "Bugging" a LAN/Internet gateway

If you do that you lose information. A bridge connects two different subnets if I remember rightly, so again the packets would have to be readdressed as the NICs in the bug would require IP addresses. For example, a packet coming from the router to the bug would have it's destination IP as the IP of the relevant NIC on the bug - you've lost the information about which PC on the LAN it was really destined for.
It might be possible to reconstruct the missing info by getting it out of the NAT routing table in the bug, but it'd be a hell of a complication (and not something that generally available packet sniffers could do).
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
meglamaniac is offline   Reply With Quote
Unread 20 Apr 2004, 08:31   #4
Pilatus
Registered User
 
Pilatus's Avatar
 
Join Date: Apr 2002
Location: Norway
Posts: 295
Pilatus has a spectacular aura aboutPilatus has a spectacular aura about
Re: "Bugging" a LAN/Internet gateway

Am referring to a Layer 2 bridge and it's supposed to work the same way as a switch.
I'm pretty sure there should be an option for bridging in the Linux kernel.

You can set an ip address on some bridges/switches, but's that's just to have connectivity to the bridge/switch and it shouldn't make the ip header change on bridged packets.
__________________
Except from being crazy, i'm a picture of good health.

Last edited by Pilatus; 20 Apr 2004 at 08:43.
Pilatus is offline   Reply With Quote
Unread 25 May 2004, 00:01   #5
Pilatus
Registered User
 
Pilatus's Avatar
 
Join Date: Apr 2002
Location: Norway
Posts: 295
Pilatus has a spectacular aura aboutPilatus has a spectacular aura about
Re: "Bugging" a LAN/Internet gateway

Looking at my reply i think i could have been a more specific. If you set up a pc to do bridging, it will act almost as a switch, and none of the packets destined for the routers will be changed. The only difference between a pc set up as a bridge and a switch is that the switch will do all it's processing in hardware, and the pc will do it in software, but ofcause the pc would be able to easily sniff all the packets.

However i think the best solution would be to use ettercap. Unless you would like to buy some expensive switches that could do network monitoring.
Pilatus is offline   Reply With Quote
Unread 25 May 2004, 17:01   #6
Raging.Retard
Street Tramp
 
Raging.Retard's Avatar
 
Join Date: Apr 2000
Location: Street Gutter
Posts: 341
Raging.Retard has a brilliant futureRaging.Retard has a brilliant futureRaging.Retard has a brilliant futureRaging.Retard has a brilliant futureRaging.Retard has a brilliant futureRaging.Retard has a brilliant futureRaging.Retard has a brilliant futureRaging.Retard has a brilliant futureRaging.Retard has a brilliant futureRaging.Retard has a brilliant futureRaging.Retard has a brilliant future
Re: "Bugging" a LAN/Internet gateway

Why not just run the packet capture software on the gateway linux machine in the 1st place? If this is routing traffic to all the other machines, its the ideal machine to do it on.

If you cant do that, there are means of packet sniffing on a switched network anyway. Eg, poisioning the ARP table on your lan, linking different MAC addresses to IP addresses (man-in-the-midle blah blah etc) . Ettercap will do this nicely, but the traffic will have a slight performance hit when you use it.
__________________
Chimney Pots.
Raging.Retard is offline   Reply With Quote
Reply


Thread Tools
Display Modes

Forum Jump


All times are GMT +1. The time now is 12:50.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2018