FrankDzedzy.com

I’ve always known how to do basic IP sniffing, but with all the recent news focus on the Data Mining of the NSA and AT&T I decided to do a little research and dig into IP sniffing. Obviously the NSA uses some pretty sophisticated software and hardware to handle all the IP data that they collect, but there are plenty of open source tools that will do pretty much the same stuff for a smaller network.

The best program for packet capture and analysis is Ethereal. It captures packets and displays them in a nice GUI. It can also save the packets to a file and open and process captured packets files. It has the ability to process the packets by applying filters. For example, you could filter out all arp traffic, or only capture http. Ethereal also allows you to filter by TCP stream. It can display all the data portions of a packet in the stream that they came in. In this way, you could reconstruct an html page, or smtp email. However the purpose of this article is not to be a guide on Ethereal, but to show you how to arrange your network to sniff your internet connection and capture all packets coming and going across your internet pipe.

There are many reasons that you might have to want to sniff your internet connection, or even to capture and record all packets that are passing through. One reason is that it is a fascinating and great way to learn about networks and how packets flow through the network. Another reason could be to find and defeat a hacking attack or malware. You could also monitor your network to determine what users are doing and watch them. (like the nsa)

A typical Small Office/Home Office will be setup like this:

The internet comes in through the cable modem, and into the combination router, switch, and wireless access point. This is a pretty nice setup for a small network, because it combines all the network devices into one. However this is not a good setup for sniffing and data capture.

The main problem with sniffing on this network is the switch. In a traditional ethernet network with hubs, all packets flow to each port on the hub. This is called a collision domain. Switches are designed to break up collision domains. This breakup helps the network function much more efficeintly and drop much less packets. It also provides added security because all packets in the network are not able to flow past each ethernet adapter. However we cannot easily sniff the network if we can not see all the traffic. On some high end switches there is a management port which can be configured to mirror all traffic on a single port. This port can then be sniffed and monitored. But an easier way to monitor the small network shown above is with a hub as shown below:

Here a hub is placed in between the cable modem and the router. A monitoring computer can then be connected to the hub to sniff all internet traffic.You may think that this would defeat the purpose of a switched network and slow down your internet traffic. However a hub does not start dropping packets until greater than 50% of its bandwidth is used up. If you are using a 100mbs switched, then you would have to generate greater than 50mbps traffic. With a typical cable 5mbps internet connection, you will never even come close.

The only drawback to this setup is NAT. NAT (Network Address Translation) is a technology that the router uses to allow many hosts to share an internet connection which has only 1 IP address. This setup above will sniff everything outside your nat. So if you have multiple computers behind the nat you will not be able to tell which one is generating which traffic. (While doing some monitoring, I noticed that in this configuration, my sniffer was picking up lots of ARP and DHCP traffic from other cable users in my subnet) In order to sniff the internet traffic inside the NAT, you need one more device in a configuration like this:

In this configuration the Hub and monitoring computer are placed inbetween the router and a second switch. This allows all traffic headed to the router and then out the internet to be watched. The only drawback to this is that it requires another switch to be added. One way to do it is to get a second Router/Switch/Wireless ap and just disable the routing features. This is how I did it to monitor my home network. Larger networks are layed out in a similar fashon, with a switch connected to a router which goes out to the internet. There are many other ways to do this same thing. For larger networks, an ethernet tap can put onto the router port. This is a device that allows you to tap into the ethernet port and see all the packets on the wire. This is what would be used in higher bandwidth networks. But for small home networks, I think a hub is the easiest way to setup a sniffer to capture all the internet traffic.

Another approach would be to build a linux router using an extra computer. This would eliminate the need for a hub altogether. You could then use snort, or tcpdump to capture all the traffic. The major drawback to this method is that you would need to setup the router and maintain it. There are many good tutorials on the internet to build a linux router, however it is still difficult. The small home routers are easy to setup and use.

For a monitoring computer, you can use an extra computer lying around or you can use a computer on your current network. I added an extra nic to my computer, gave it a static ip address in a different subnet than my main network, and sniffed the data that passed by it. If it has an ip address that is in a different subnet than your current network, you don’t have to worry about your computer trying to use the nic for data transfer. For example, my main nic is: 192.168.5.50 with a subnet of 255.255.255.0, so I put the other nic into 10.0.0.1. I also gave it a blank default gateway. The os will not route traffic down the second NIC, because there is nowhere for it to go.

This setup is a great way to learn about packets and how they flow, and monitor your network for suspscious activity, or just to see what everyone is doing.