ethernet card in promiscuous mode with aDSL routers

Hi,
I'm trying to use one of my linux computer to sniff the traffic (for
security reasons) on my LAN using tcpdump and setting my NIC in
promiscuous mode. But I don't see anything from the other computers on
my LAN. I tried it with a linksys BEFSR41 and a speedstream 6520
aDSL/modem wireless router (I'm not using the wireless option). Are
networks build using these router swiched networks? Is this the reason
why I can't see anything from other NICs? The strange thing is that I
was very sure it was working with the 6520 last weak, unless I was
completly lost, I saw some connections from another computer to the
internet (HTTP). But now I don't see anything and I don't think I
change any configurations.

There's no way I could configure the routers to act like hubs? I
would really like to monitor my network from only on computer. I'm I
loosing my time trying to figure out how to do this with these 2
routers?

Thanks

On Tue, 13 Dec 2005 00:23:33 -0800, someone92 wrote:

> I'm trying to use one of my linux computer to sniff the traffic (for
> security reasons) on my LAN using tcpdump and setting my NIC in
> promiscuous mode. But I don't see anything from the other computers on
> my LAN.

Try using something like "dsniff", "ethercap", or some such instead.

> I tried it with a linksys BEFSR41 and a speedstream 6520 aDSL/modem
> wireless router (I'm not using the wireless option). Are networks build
> using these router swiched networks?

Probably. I have a SpeedStream 5861 that is a Hub, but it's old 10Mbit.
My newer ((pl)euro 25ish) Sweex LB000021 is a 100Mbit switch however.

> Is this the reason why I can't see anything from other NICs?

I'd think so: yes.

> The strange thing is that I was very sure it was working with the 6520
> last weak, unless I was completly lost, I saw some connections from
> another computer to the internet (HTTP). But now I don't see anything
> and I don't think I change any configurations.

During that time the switch was probaly in learning mode (right after a
power recycle - maybe.)

> There's no way I could configure the routers to act like hubs?

Flood a port with spoofed MAC enties? (But it'd be a temporary and
needless exercise anyways.)

> I would really like to monitor my network from only on computer. I'm I
> loosing my time trying to figure out how to do this with these 2
> routers?

If eithers firmware supports a port in "management mode" you're home-free.

However if they don't: the Linksys might be flashable with OpenWRT Linux
or similar, and you should be able to use the "brctl" command and set the
ports any which way you like then.

--
-Menno.

> I tried it with a linksys BEFSR41
I don't know about the Speedstream, but I used to have a BEFSR41 and I'm
pretty sure it functions as a switch. I doubt there is any way to make
it function otherwise.

On Tue, 13 Dec 2005 22:51:35 -0500, Allen McIntosh wrote:

>> I tried it with a linksys BEFSR41
> I don't know about the Speedstream, but I used to have a BEFSR41 and I'm
> pretty sure it functions as a switch. I doubt there is any way to make
> it function otherwise.

Hmn, i'm pretty sure those run Linux ... And as such can be made to
operate at half-duplex only and _not_ autonegotiate via mii-tool and/or
ethtool (or an SNMP agent). Further more "brctl" allows for setting
switches to broadcast. Those two options togather would effectively be
able to turm a router/switch into a hub, should one ever so disire ...

You'll need (to flash/load) firmware that supports this stuff though,
probably voiding waranty in so doing.

HTH.

--
-Menno.

Menno Duursma wrote:
> Hmn, i'm pretty sure those run Linux ...

No the BEFSR41 does not run Linux, And I didn't find any informations
about the speedstream because it's only sold to ISPs and only their
clients have access to (custom made) new firmwares. Anyway the
speedstream is rented so I don't want to mess with it.

Thanks to all for the replies.

On Thu, 15 Dec 2005 04:21:40 -0800, someone92 wrote:
> Menno Duursma wrote:
>> Hmn, i'm pretty sure those run Linux ...
>
> No the BEFSR41 does not run Linux,

It doesn't? Thanks for the info! I'll try and keep clean of 'em then.

> And I didn't find any informations about the speedstream because it's
> only sold to ISPs and only their clients have access to (custom made)
> new firmwares. Anyway the speedstream is rented so I don't want to mess
> with it.
>
> Thanks to all for the replies.

Sure thing. And IIRC http://packetstormsecurity.org/ has a bunch of
(other) tools for sniffing switched networks...

A thing i want to rectify though. Atleast for my Sweex 21 router, it's a
switch setup VLAN0 => WAN , VLAN1 => 4port switch. To make it into a 5port
Hub one would have to ``vconfig'' them into a singe VLAN first ofcource.

--
-Menno.

It is possible to make your own ethernet taps and place it inline. If
you've got some spare parts somewhere and do a google search on the
pinning. I make one about 6 months ago. Most of the tools for sniffing
switched networks are based on arp poisoning/spoofing.

I tried to use dsniff's tools to try MAC flooding & spoofing my routers
to see if I could sniff network traffics on it. MAC spoofing works
great on the linksys BEFSR41, but the speedstream 6520 seems to be
immunized to both spoofing & flooding. I didn't try to flood the
linksys since spoofing works great. The best tools I found is the
KNOPPIX STD security live CD, I used macof and arpspoof. Anyone has
other suggestions I could try on the speedstream? Ethernet tabs is not
a good solution since more than one computer pass in the router, so I
would have to build a tab for each computer.

Thanks

On Sat, 24 Dec 2005 09:08:26 -0800, someone92 wrote:

> KNOPPIX STD security live CD, I used macof and arpspoof. Anyone has
> other suggestions I could try on the speedstream? [...]

Configure your (Knoppix?) PC to be a source NATing router/gateway. Like
spoof the IP adress to be that of the /actual/ gateway for the
network, forwarding packets to that. Then update the ARP caches of nodes
you want to monitor the traffic of to mapping thier gateway/destination IP
to your MAC adress (maybe using an "arping" in a cron job or something.)
And/or try Google for like MITM attack or smartspoof ...

HTH

--
-Menno.