"Bugging" a LAN/Internet gateway
I'm not asking about this for any particular purpose, i'm just sorta curious about this sort of thing.
Lets take the example of the network in my house - we have 9 personal computers, and 1 additional linux pc acting as a router (also providing various other services such as DHCP, but i don't think that should interfere).
The router has 2 NICs, which we'll use security terminology for and call Red and Green. Red is connected to the cable line. Green is connected to a switch, which in turn is connected to a second switch on another floor. Both switches also have PCs connected to them (obviously).
Say I wanted to scan all packets coming and going from the internet only, using another linux machine. Packet sniffing software obviously isn't a problem, no shortage of that about. However, we're using switches not hubs so I couldn't just plug it in anywhere and scan - the "bug" machine has to sit between the switch and the Green NIC on the router without interfering with the traffic in any way. I've thought of 2 ways round it, I just don't know if they would work.
1) Buy a cheap hub. It doesn't matter that the bandwidth on it would suck, because the only traffic going to and from the router is internet traffic (ie. 1Mbps max). Disconnect the cable from the Green NIC of the router and connect it to the hub. Run another cable from the hub to the router, and a third cable from the hub to the "bug". Since hubs broadcast (unlike switches), I think this should mean both machines recieve copies of packets destined for the internet, and ONLY packets destined for the internet, because the switch should only send packets for the router's IP (or the bug's IP, but no-one would know it) to the hub right? The bug should then happily be able to sniff everything coming through, passively, without altering the traffic at all.
2) Set up the bug with two NICs, and place it directly inline between the Green NIC of the router and the switch. The catch here is, the NICs cannot have IP addresses or that would interfere with traffic since packets would have to be readdressed. I *think* I remember reading somewhere that it is possible to run a NIC without an IP (non-promiscuous mode or something?), but is it then possible to copy everything it recieves to the other NIC and retransmit it down the line? If so, Is it possible to do any processing on packets (such as packet sniffing) while doing this? If I'm not talking crap and this is possible, it'd clearly be better since it requires less hardware and the bug itself is not visable to the other machines on the network as it has no IP; it just sits there more or less as part of the wire and processes things.
The only proviso would be making sure it had the resources to do the job, as this is active scanning not passive - so if it locked up the link from the switch to the router would be lost.
Hmmmmmm.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|