ethernet card in promiscuous mode with aDSL routers

Discussion in 'Linux Networking' started by someone92, Dec 13, 2005.

  1. someone92

    someone92 Guest

    Hi,
    I'm trying to use one of my linux computer to sniff the traffic (for
    security reasons) on my LAN using tcpdump and setting my NIC in
    promiscuous mode. But I don't see anything from the other computers on
    my LAN. I tried it with a linksys BEFSR41 and a speedstream 6520
    aDSL/modem wireless router (I'm not using the wireless option). Are
    networks build using these router swiched networks? Is this the reason
    why I can't see anything from other NICs? The strange thing is that I
    was very sure it was working with the 6520 last weak, unless I was
    completly lost, I saw some connections from another computer to the
    internet (HTTP). But now I don't see anything and I don't think I
    change any configurations.

    There's no way I could configure the routers to act like hubs? I
    would really like to monitor my network from only on computer. I'm I
    loosing my time trying to figure out how to do this with these 2
    routers?

    Thanks
     
    someone92, Dec 13, 2005
    #1
    1. Advertisements

  2. Try using something like "dsniff", "ethercap", or some such instead.
    Probably. I have a SpeedStream 5861 that is a Hub, but it's old 10Mbit.
    My newer ((pl)euro 25ish) Sweex LB000021 is a 100Mbit switch however.
    I'd think so: yes.
    During that time the switch was probaly in learning mode (right after a
    power recycle - maybe.)
    Flood a port with spoofed MAC enties? (But it'd be a temporary and
    needless exercise anyways.)
    If eithers firmware supports a port in "management mode" you're home-free.

    However if they don't: the Linksys might be flashable with OpenWRT Linux
    or similar, and you should be able to use the "brctl" command and set the
    ports any which way you like then.
     
    Menno Duursma, Dec 13, 2005
    #2
    1. Advertisements

  3. I tried it with a linksys BEFSR41
    I don't know about the Speedstream, but I used to have a BEFSR41 and I'm
    pretty sure it functions as a switch. I doubt there is any way to make
    it function otherwise.
     
    Allen McIntosh, Dec 14, 2005
    #3
  4. Hmn, i'm pretty sure those run Linux ... And as such can be made to
    operate at half-duplex only and _not_ autonegotiate via mii-tool and/or
    ethtool (or an SNMP agent). Further more "brctl" allows for setting
    switches to broadcast. Those two options togather would effectively be
    able to turm a router/switch into a hub, should one ever so disire ...

    You'll need (to flash/load) firmware that supports this stuff though,
    probably voiding waranty in so doing.

    HTH.
     
    Menno Duursma, Dec 14, 2005
    #4
  5. someone92

    someone92 Guest

    No the BEFSR41 does not run Linux, And I didn't find any informations
    about the speedstream because it's only sold to ISPs and only their
    clients have access to (custom made) new firmwares. Anyway the
    speedstream is rented so I don't want to mess with it.

    Thanks to all for the replies.
     
    someone92, Dec 15, 2005
    #5
  6. It doesn't? Thanks for the info! I'll try and keep clean of 'em then.
    Sure thing. And IIRC http://packetstormsecurity.org/ has a bunch of
    (other) tools for sniffing switched networks...

    A thing i want to rectify though. Atleast for my Sweex 21 router, it's a
    switch setup VLAN0 => WAN , VLAN1 => 4port switch. To make it into a 5port
    Hub one would have to ``vconfig'' them into a singe VLAN first ofcource.
     
    Menno Duursma, Dec 15, 2005
    #6
  7. someone92

    R Guest

    It is possible to make your own ethernet taps and place it inline. If
    you've got some spare parts somewhere and do a google search on the
    pinning. I make one about 6 months ago. Most of the tools for sniffing
    switched networks are based on arp poisoning/spoofing.
     
    R, Dec 16, 2005
    #7
  8. someone92

    someone92 Guest

    I tried to use dsniff's tools to try MAC flooding & spoofing my routers
    to see if I could sniff network traffics on it. MAC spoofing works
    great on the linksys BEFSR41, but the speedstream 6520 seems to be
    immunized to both spoofing & flooding. I didn't try to flood the
    linksys since spoofing works great. The best tools I found is the
    KNOPPIX STD security live CD, I used macof and arpspoof. Anyone has
    other suggestions I could try on the speedstream? Ethernet tabs is not
    a good solution since more than one computer pass in the router, so I
    would have to build a tab for each computer.

    Thanks
     
    someone92, Dec 24, 2005
    #8
  9. Configure your (Knoppix?) PC to be a source NATing router/gateway. Like
    spoof the IP adress to be that of the /actual/ gateway for the
    network, forwarding packets to that. Then update the ARP caches of nodes
    you want to monitor the traffic of to mapping thier gateway/destination IP
    to your MAC adress (maybe using an "arping" in a cron job or something.)
    And/or try Google for like MITM attack or smartspoof ...

    HTH
     
    Menno Duursma, Dec 26, 2005
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.