Switched Routers with Wireshark

Viewing 10 reply threads
  • Author
    Posts
    • #3631
      Anonymous
      Participant

      I want to monitor my home network. I have cable internet and a netgear router. I have AV, FW, and antispyware on all pc’s, and there is one Itouch running on the network. My Teen is computer saavy so I want to monitor traffic at the router.

      After some searching I found wireshark, but during the test run I discovered I wouldn’t see traffic from other computers. I looked some more and it seems like my router is “switched”. I don’t have a port-miroring option with this router.

      What is the easiest way to do this?

      Thanks

    • #23468
      elcapitan
      Participant

      You could do several different things to monitor, but you could set up a dual-homed (two network adapters) computer between the router and the WAN. All traffic would have to cross through this node.

    • #23469
      Ketchup
      Participant

      Well, there are a few ways you can monitor all traffic on your network. 

      1.  You could purchase a small inexpensive hub (not a switch) and plug your computer and your teen’s computer into it.  You would connect the router to the hub.  Hub pass all traffic around and Wireshark will catch it.  I am not sure how easy it would be for your to decipher the traffic in Wireshark, especially if you are not used to it.  There are other software packages that make this type of analysis easier, such as NetWitness. 

      If you are using wireless, than your network is already capable of being monitored.  You simply need a wireless card that is capable of monitor mode.  This is much easier done in Linux.

      2.  You could look into a newer router or at least newer firmware.  I believe both Netgear and Linksys have parental controls modules. 

      http://blogs.pcmag.com/atwork/2009/02/sneak_peek_at_netgears_nextgen_1.php

      You may even be able to upgrade the existing firmware on your router to support parental controls. 

      There are other ways but they are a bit more technical.  For example, I use a Linux firewall at home.  It is capable of filtering URLs, logging all Internet traffic, and it makes toast.  Well, I wish it did the last part.  You can also try arp spoofing if you are feeling adventurous. 

      I think that the best solution would be router-based parental control software or similar software installed directly on your teen’s PC. 

    • #23470
      Don Donzal
      Keymaster

      Or if you really want port mirroring, this switch is under $100 and has it:

      http://www.newegg.com/Product/Product.aspx?Item=N82E16833316090

      Place it between your router and the rest of your network, and you’re good to go.

      Don

    • #23471
      Clay Briggs
      Participant

      You could sniff the traffic one of these ways with wireshark, but you are going to have to learn to use the filters effectively to read the info… and are going to find the file grows rather large as it collects.  If you haven’t used wireshark before, it might be easier trying another program.  Also, there are quite a few keystroker/site capture programs that are stealthy as all get out.  I was hired to install some of these by parents on their computers to monitor where their young ladies were going and with whom they were talking.  Most are free, and can give you a good idea not only of where your kid is going, but what they are ‘saying’ while they are there.  Most are hidden from Anti-virus (if they’re well made) and don’t show up in add/remove programs.  If you want some examples I can toss you some. 

    • #23472
      hayabusa
      Participant

      Another option, depending on your level of tech savvy, is Ettercap.  As network techs, we often use it to sniff on switched networks, and it’s cheaper than adding more hardware.

      A brief paper on it can be found at:

      http://www.leetupload.com/database/Misc/Papers/Asta%20la%20Vista/18.Ettercap_Spoof.pdf

    • #23473
      timmedin
      Participant

      @Ketchup wrote:

      1.  You could purchase a small inexpensive hub (not a switch) and plug your computer and your teen’s computer into it.   You would connect the router to the hub.   Hub pass all traffic around and Wireshark will catch it.

      You have to be careful with the word hub on equipment and might want to double check online that it actually works like a hub. Some marketing genious has put the word hub on some switches.

      I actually got messed up by this last week. I have a hub in name on my desk that is actually a switch. meh

    • #23474
      Don Donzal
      Keymaster

      This is very true. Many manufacturers find it less expensive to make 2 different products, so one often finds a switch in a hub box. It is often marked and labeled as a hub, as timmedin states. This can be very frustrating.

      Goes along the rant of “Say what you mean and mean what you say.” If I purchase a hub, it’s for a reason. I don’t want someone else making that decision for me, even if normal consumers don’t know the difference and a switch makes their little home network more secure and efficient.

      I could go on but why?  :-X

      Don

    • #23475

      rewind a couple comments. Ettercap can sniff switched networks? How and why. If i plugged in my gentoo box at any level of my network (including associating wireessly), how would i need to configure it to hop switches? Could I see lower level traffic from a wireless attack?

      I have been wondering this, as my home network has a modem–>swtich–>and wireless router in the main house; my office is netted into the switch which runs out to another router. i can plug into the switch that sits ontop of modem, but not into the modem itself.

      i’ve been using wireshark and kismet for awhile; have used ettercap for its passwords for a class assignment.  but until now, never heard it could monitor over switches.

    • #23476
      Ketchup
      Participant

      In a nut shell, Ettercap uses ARP spoofing to sniff network traffic.  There are other ways, such as attacking a Cisco switch spanning protocols, but this is what ettercap does.

      http://en.wikipedia.org/wiki/ARP_spoofing

    • #23477
      hayabusa
      Participant

      Yes.  As Ketchup noted, Ettercap (and other ARP spoofing tools) can be used for both legitimate and illegitimate reasons.  Ettercap is a very quick and easy tool to use, to show the security (or lack thereof) of web-based SSL solutions, such as some vendors’ SSLVPN’s, as well as other applications.  However, even as it was born as more of a pentest / hack tool, it also comes in very handy, for the same features, for sniffing switched network traffic and other data.  Laura Chappell talks about it a lot in her Network Analysis classes and presentations, if you follow her, at all.

      ArpON, one of the first tools noted in the Defenses section of the Wikipedia article Ketchup mentions, is a VERY handy tool for combating this type of attack, and is used in many of the SSLVPN-type scenarios I mentioned, above, to reduce the man-in-the-middle attacks against them.

      Definitely worth learning about the ARP capabilities of Ettercap, if you intend to pentest any sorts of secure web applications, to look for vulnerable apps and login methods.  In fact, I JUST tested a solution from an SSLVPN vendor for one of my clients, and demonstrated how easy it was to grab login credentials, which, in turn, would give the attacker credentials to login to the rest of the network / servers in the environment.  Was sad, as I grabbed the credentials of one of their admins, who decided to login from a hotspot at McDonald’s.    Made a strong case for my recommendation that they add dual-factor authentication, such as tokens (which randmize,) to their logins, to prevent, at least, remote access.  While they didn’t totally do it right (they put BOTH password and token fields on the same page, so they’ll still disclose the network password) and have some tweaking to do, they quickly realized the danger in their original configuration, and added value to my services to them.

      So spend some time studying the use of ARP attacks, and how they can be used for both illegitimate, as well as analysis purposes.  You’ll find it useful.

Viewing 10 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?