Home AMX User Forum AMXForums Archive Threads Tips and Tricks

Sniffing outgoing IP

I'd like to learn how to sniff outgoing IP from a NetLinx master, which is impossible in NS2 for some reason.

"Ethereal" they say - and that is now called WireShark - I have a NetGear wireless router, and no amount of googling will tell me how use that tool with that box to tell me what was IPed to what.

Can anyone advise please?

Comments

  • HedbergHedberg Posts: 671
    OK, I assume that you're configuration is that your master is connected to one of the LAN ports on your wireless router and the wireless router is connected to the internet via the WAN port on the wireless router. I am also assuming that what you want to do is connect a PC to one of the LAN ports on the router and have that PC "sniff" the IP traffic to and from your netlinx master so that you can see exactly what traffic is being sent to exactly what IP addresses. This is probably not possible with the Linksys wireless router because the switch part of the router probably does not transmit all data packets to all LAN ports. That's (I believe) the difference between a switch and a hub. A hub transmits all data to all ports while a switch only transmits data to ports the data is aimed at. See:

    http://www.wireshark.org/faq.html#sec7

    There is information there about hubs and switches etc. What is suggested in the Wireshark FAQ is to put a non-switching hub on the WAN side of your router and plug the machine you wish to monitor with into that hub. The hub will replicate all packets to all ports. It also seems to me that you could plug your master and the PC into a hub and connect the hub to a LAN port on the router and then all the packets between the master and the router should appear on the PC port. I'm guessing that you would need a crossover cable between the hub and the router in either case, but I'm not sure about that. Maybe the router would auto-detect that.

    In the Wireshark FAQ note the discussion of "promiscuous" mode.

    Another solution is to use either "bridging" or "connection sharing" on your PC to route all the IP traffic through your PC. You can probably do that without adding any hardware to what you already have if your PC has both a wireless card and a wired ethernet port. Basically what you are doing is using the PC as a NAT router. I know this can be made to work because I'm using a similar setup right now. I have a PC with a couple wireless USB devices bridged with a couple ethernet cards and all traffic to the internet has to go through that PC and it can be seen with ethereal/Wireshark.

    Something else along similar lines (though probably not applicable to your situation). There is a free utility for Linux called Kismet. It can be used like Network Stumbler to figure out what wireless devices are in the area. But, unlike Network Stumbler, Kismet can be used to sniff packets. From what I can gather, the output of Kismet can be used as an input to the Linux version of Wireshark for your viewing pleasure. My use of Kismet has been very limited and I've never tried to "sniff" packets from a wireless connection, so I don't know how well this would work. My guess is that even WEP encryption would defeat a simple effort to use Kismet/Wireshark in this manner.

    If you are not a Linux person and you just want to mess around with this sort of thing, there is a Linux installation on a CD available for download at www.remote-exploit.org called BackTrack. You can download the iso image for a bootable cd which will run Linux on your PC without touching the hard drive. This particular Linux has Kismet and a bunch of other utilities already built and installed.
  • jweatherjweather Posts: 320
    Actually, Kismet can break WEP encryption very quickly... this is why you shouldn't use WEP for security. It probably supports WPA if you tell it the key.

    Modern routers and switches autodetect and use crossover mode as needed, so it's pretty rare to need a crossover cable unless it's between two devices.

    A cheap hub is the simplest solution in my opinion.
  • HedbergHedberg Posts: 671
    jweather wrote:
    [...]

    A cheap hub is the simplest solution in my opinion.

    A hub should be pretty easy, but I think that if I needed to do this what I would do would be to bridge the WIFI and ethernet on my laptop, connect the master to the LT ethernet port (probably with a crossover cable) and use the WIFI to the Linksys wireless router to the internet. Using Wireshark on either the WIFI or ethernet adapter should reveal all.
  • Actually, you are looking for ARP spoofing:

    http://en.wikipedia.org/wiki/ARP_spoofing

    You basically pretend to be the equipment you are trying to intercept data from. The tool in windows is (there are others, but this one is boss):

    http://www.oxid.it/cain.html

    Under linux I would use ettercap, it does the same thing to great effect (not kismet, thats a wireless tool). Be aware you may need to restart all equipment when you are done, including your switch. Basically, using this on a production network is a bad idea. It is however invaluable and I use it all the time for troubleshooting.

    Edit: you use this alongside wireshark. You start intercepting data between hosts with cain and abel, then analyze it using wireshark.
Sign In or Register to comment.