.

Switched Routers with Wireshark

<<

boohat74

Post Mon Mar 30, 2009 2:54 pm

Switched Routers with Wireshark

I want to monitor my home network. I have cable internet and a netgear router. I have AV, FW, and antispyware on all pc's, and there is one Itouch running on the network. My Teen is computer saavy so I want to monitor traffic at the router.

After some searching I found wireshark, but during the test run I discovered I wouldn't see traffic from other computers. I looked some more and it seems like my router is "switched". I don't have a port-miroring option with this router.

What is the easiest way to do this?

Thanks
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Mon Mar 30, 2009 3:07 pm

Re: Switched Routers with Wireshark

You could do several different things to monitor, but you could set up a dual-homed (two network adapters) computer between the router and the WAN. All traffic would have to cross through this node.
CISSP, Security+, CEH, OPP, et alii
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Mar 30, 2009 4:10 pm

Re: Switched Routers with Wireshark

Well, there are a few ways you can monitor all traffic on your network. 

1.  You could purchase a small inexpensive hub (not a switch) and plug your computer and your teen's computer into it.  You would connect the router to the hub.  Hub pass all traffic around and Wireshark will catch it.  I am not sure how easy it would be for your to decipher the traffic in Wireshark, especially if you are not used to it.  There are other software packages that make this type of analysis easier, such as NetWitness. 

If you are using wireless, than your network is already capable of being monitored.  You simply need a wireless card that is capable of monitor mode.  This is much easier done in Linux.

2.  You could look into a newer router or at least newer firmware.  I believe both Netgear and Linksys have parental controls modules. 

http://blogs.pcmag.com/atwork/2009/02/s ... tgen_1.php

You may even be able to upgrade the existing firmware on your router to support parental controls. 

There are other ways but they are a bit more technical.  For example, I use a Linux firewall at home.  It is capable of filtering URLs, logging all Internet traffic, and it makes toast.  Well, I wish it did the last part.  You can also try arp spoofing if you are feeling adventurous. 

I think that the best solution would be router-based parental control software or similar software installed directly on your teen's PC. 
~~~~~~~~~~~~~~
Ketchup
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Mar 30, 2009 5:01 pm

Re: Switched Routers with Wireshark

Or if you really want port mirroring, this switch is under $100 and has it:

http://www.newegg.com/Product/Product.a ... 6833316090

Place it between your router and the rest of your network, and you're good to go.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Mon Mar 30, 2009 8:33 pm

Re: Switched Routers with Wireshark

You could sniff the traffic one of these ways with wireshark, but you are going to have to learn to use the filters effectively to read the info... and are going to find the file grows rather large as it collects.  If you haven't used wireshark before, it might be easier trying another program.  Also, there are quite a few keystroker/site capture programs that are stealthy as all get out.  I was hired to install some of these by parents on their computers to monitor where their young ladies were going and with whom they were talking.  Most are free, and can give you a good idea not only of where your kid is going, but what they are 'saying' while they are there.  Most are hidden from Anti-virus (if they're well made) and don't show up in add/remove programs.  If you want some examples I can toss you some. 
"Bad.. Good?  I'm the guy with the gun"
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Mar 31, 2009 7:23 am

Re: Switched Routers with Wireshark

Another option, depending on your level of tech savvy, is Ettercap.  As network techs, we often use it to sniff on switched networks, and it's cheaper than adding more hardware.

A brief paper on it can be found at:

http://www.leetupload.com/database/Misc ... _Spoof.pdf
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Mar 31, 2009 10:23 am

Re: Switched Routers with Wireshark

Ketchup wrote:1.  You could purchase a small inexpensive hub (not a switch) and plug your computer and your teen's computer into it.   You would connect the router to the hub.   Hub pass all traffic around and Wireshark will catch it.


You have to be careful with the word hub on equipment and might want to double check online that it actually works like a hub. Some marketing genious has put the word hub on some switches.

I actually got messed up by this last week. I have a hub in name on my desk that is actually a switch. meh
twitter.com/timmedin | http://blog.securitywhole.com
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Mar 31, 2009 10:41 am

Re: Switched Routers with Wireshark

This is very true. Many manufacturers find it less expensive to make 2 different products, so one often finds a switch in a hub box. It is often marked and labeled as a hub, as timmedin states. This can be very frustrating.

Goes along the rant of "Say what you mean and mean what you say." If I purchase a hub, it's for a reason. I don't want someone else making that decision for me, even if normal consumers don't know the difference and a switch makes their little home network more secure and efficient.

I could go on but why?  :-X

Don
CISSP, MCSE, CSTA, Security+ SME
<<

munkeyfreenix.batcat

User avatar

Newbie
Newbie

Posts: 11

Joined: Mon Mar 09, 2009 10:09 pm

Post Fri Apr 03, 2009 1:15 am

Re: Switched Routers with Wireshark

rewind a couple comments. Ettercap can sniff switched networks? How and why. If i plugged in my gentoo box at any level of my network (including associating wireessly), how would i need to configure it to hop switches? Could I see lower level traffic from a wireless attack?

I have been wondering this, as my home network has a modem-->swtich-->and wireless router in the main house; my office is netted into the switch which runs out to another router. i can plug into the switch that sits ontop of modem, but not into the modem itself.

i've been using wireshark and kismet for awhile; have used ettercap for its passwords for a class assignment.  but until now, never heard it could monitor over switches.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Apr 03, 2009 7:26 am

Re: Switched Routers with Wireshark

In a nut shell, Ettercap uses ARP spoofing to sniff network traffic.  There are other ways, such as attacking a Cisco switch spanning protocols, but this is what ettercap does.

http://en.wikipedia.org/wiki/ARP_spoofing
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Apr 03, 2009 7:56 am

Re: Switched Routers with Wireshark

Yes.  As Ketchup noted, Ettercap (and other ARP spoofing tools) can be used for both legitimate and illegitimate reasons.  Ettercap is a very quick and easy tool to use, to show the security (or lack thereof) of web-based SSL solutions, such as some vendors' SSLVPN's, as well as other applications.  However, even as it was born as more of a pentest / hack tool, it also comes in very handy, for the same features, for sniffing switched network traffic and other data.  Laura Chappell talks about it a lot in her Network Analysis classes and presentations, if you follow her, at all.

ArpON, one of the first tools noted in the Defenses section of the Wikipedia article Ketchup mentions, is a VERY handy tool for combating this type of attack, and is used in many of the SSLVPN-type scenarios I mentioned, above, to reduce the man-in-the-middle attacks against them.

Definitely worth learning about the ARP capabilities of Ettercap, if you intend to pentest any sorts of secure web applications, to look for vulnerable apps and login methods.  In fact, I JUST tested a solution from an SSLVPN vendor for one of my clients, and demonstrated how easy it was to grab login credentials, which, in turn, would give the attacker credentials to login to the rest of the network / servers in the environment.  Was sad, as I grabbed the credentials of one of their admins, who decided to login from a hotspot at McDonald's.  <grin>  Made a strong case for my recommendation that they add dual-factor authentication, such as tokens (which randmize,) to their logins, to prevent, at least, remote access.  While they didn't totally do it right (they put BOTH password and token fields on the same page, so they'll still disclose the network password) and have some tweaking to do, they quickly realized the danger in their original configuration, and added value to my services to them.

So spend some time studying the use of ARP attacks, and how they can be used for both illegitimate, as well as analysis purposes.  You'll find it useful.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Wireless

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software