Snort mailing list archives
Re: cloning traffic onto a wireless network
From: "Robin Wood" <dninja () gmail com>
Date: Thu, 8 Jan 2009 09:27:30 +0000
2009/1/8 Pieter Claassen <pclaassen () sourcefire com>:
Another option is to try a ppp implementation to tunnel the data over the wireless network. I have not done this before but it should be quite easy to get setup. However, the openvpn setup is easy.
I was going to ask about other, lighter weight tunnels but thought I'd give this a try first seeing as you'd already done the hard work of sorting out the config files. If it does work I'll try ppp. Thanks. Robin
Regards, P On Thu, Jan 8, 2009 at 10:04 AM, Robin Wood <dninja () gmail com> wrote:2009/1/8 Pieter Claassen <pclaassen () sourcefire com>:Robin, I did something like this a while ago cloning traffic from a wired NIC over a VPN (http://skeptical-inquirer.blogspot.com/2008/11/daemonlogger-over-openvpn-for-taking.html).So you are suggesting use a vpn to tunnel the data through the wireless so it doesn't mess it up. Seeing as I'm going to be going over a WPA protected link I could even drop the encryption on the vpn as the data will be point to point and encrypted by WPA all the way. I'll give that a go. RobinPieter On Wed, Jan 7, 2009 at 7:02 PM, Robin Wood <dninja () gmail com> wrote:Hi I have an embedded device which contains 2 wired NICs and a wireless one. I'd like to turn it into a makeshift tap where the traffic is bridged over the two wired NICs and a copy of it sent out of the wireless to a machine which can then monitor the traffic either as an IDS, for pen-testing or for sys-admin trouble shooting. So far I've got the bridge up and running and using daemonlogger I've cloned all the traffic onto the wireless NIC but I'm stuck getting it off there and onto the other machine. What I've found so far is that if I have the device running as an AP then it does some filtering/routing and so mangles the packets before sending them out making them useless. If I have the device as a client connecting to an external AP the traffic gets sent out and can be sniffed from the air using kismet but on the AP the traffic is dropped because it isn't for the network the AP is running on. Running wireshark on the AP gives a load of LLC and XID packets. The AP also sends back packets rejecting the traffic which messes up the data sniffed from the air. The device running as a WPA protected AP is the ideal solution as the device can be dropped in place then connected to whenever required. I've been talking to Marty about this and I don't think I've missed anything obvious in trying getting this to work and he suggested I ask here, see if anyone else has done anything like this or could suggest anything to try. So, can anyone help? Robin ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Pieter Claassen Security Engineer - Benelux, Middle East & Africa --------------------------- SOURCEfire Siriusdreef 17-27 2132 WT Hoofddorp The Netherlands T +31 23 56 89 176 F +31 23 56 89 111 M + 31 646 112 805 E pieter.claassen () sourcefire com-- Pieter Claassen Security Engineer - Benelux, Middle East & Africa --------------------------- SOURCEfire Siriusdreef 17-27 2132 WT Hoofddorp The Netherlands T +31 23 56 89 176 F +31 23 56 89 111 M + 31 646 112 805 E pieter.claassen () sourcefire com
------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- cloning traffic onto a wireless network Robin Wood (Jan 07)
- Message not available
- Re: cloning traffic onto a wireless network Robin Wood (Jan 08)
- Message not available
- Re: cloning traffic onto a wireless network Robin Wood (Jan 08)
- Message not available
- Re: cloning traffic onto a wireless network Robin Wood (Jan 08)
- Re: cloning traffic onto a wireless network Robin Wood (Jan 08)
- Message not available