Snort mailing list archives

cloning traffic onto a wireless network


From: "Robin Wood" <dninja () gmail com>
Date: Wed, 7 Jan 2009 18:02:44 +0000

Hi
I have an embedded device which contains 2 wired NICs and a wireless
one. I'd like to turn it into a makeshift tap where the traffic is
bridged over the two wired NICs and a copy of it sent out of the
wireless to a machine which can then monitor the traffic either as an
IDS, for pen-testing or for sys-admin trouble shooting.

So far I've got the bridge up and running and using daemonlogger I've
cloned all the traffic onto the wireless NIC but I'm stuck getting it
off there and onto the other machine. What I've found so far is that
if I have the device running as an AP then it does some
filtering/routing and so mangles the packets before sending them out
making them useless. If I have the device as a client connecting to an
external AP the traffic gets sent out and can be sniffed from the air
using kismet but on the AP the traffic is dropped because it isn't for
the network the AP is running on. Running wireshark on the AP gives a
load of LLC and XID packets. The AP also sends back packets rejecting
the traffic which messes up the data sniffed from the air.

The device running as a WPA protected AP is the ideal solution as the
device can be dropped in place then connected to whenever required.

I've been talking to Marty about this and I don't think I've missed
anything obvious in trying getting this to work and he suggested I ask
here, see if anyone else has done anything like this or could suggest
anything to try.

So, can anyone help?

Robin

------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: