Re: cloning traffic onto a wireless network

["Robin Wood" <dninja () gmail com>]

2009/1/8 Pieter Claassen <pclaassen () sourcefire com>:
> Another option is to try a ppp implementation to tunnel the data over
> the wireless network. I have not done this before but it should be
> quite easy to get setup. However, the openvpn setup is easy.

I was going to ask about other, lighter weight tunnels but thought I'd
give this a try first seeing as you'd already done the hard work of
sorting out the config files.

If it does work I'll try ppp.

Thanks.

Robin

> Regards,
> P
>
> On Thu, Jan 8, 2009 at 10:04 AM, Robin Wood <dninja () gmail com> wrote:
> > 2009/1/8 Pieter Claassen <pclaassen () sourcefire com>:
> > > Robin,
> > >
> > > I did something like this a while ago cloning traffic from a wired NIC
> > > over a VPN (http://skeptical-inquirer.blogspot.com/2008/11/daemonlogger-over-openvpn-for-taking.html).
> >
> > So you are suggesting use a vpn to tunnel the data through the
> > wireless so it doesn't mess it up. Seeing as I'm going to be going
> > over a WPA protected link I could even drop the encryption on the vpn
> > as the data will be point to point and encrypted by WPA all the way.
> >
> > I'll give that a go.
> >
> > Robin
> >
> > > Pieter
> > >
> > > On Wed, Jan 7, 2009 at 7:02 PM, Robin Wood <dninja () gmail com> wrote:
> > > > Hi
> > > > I have an embedded device which contains 2 wired NICs and a wireless
> > > > one. I'd like to turn it into a makeshift tap where the traffic is
> > > > bridged over the two wired NICs and a copy of it sent out of the
> > > > wireless to a machine which can then monitor the traffic either as an
> > > > IDS, for pen-testing or for sys-admin trouble shooting.
> > > >
> > > > So far I've got the bridge up and running and using daemonlogger I've
> > > > cloned all the traffic onto the wireless NIC but I'm stuck getting it
> > > > off there and onto the other machine. What I've found so far is that
> > > > if I have the device running as an AP then it does some
> > > > filtering/routing and so mangles the packets before sending them out
> > > > making them useless. If I have the device as a client connecting to an
> > > > external AP the traffic gets sent out and can be sniffed from the air
> > > > using kismet but on the AP the traffic is dropped because it isn't for
> > > > the network the AP is running on. Running wireshark on the AP gives a
> > > > load of LLC and XID packets. The AP also sends back packets rejecting
> > > > the traffic which messes up the data sniffed from the air.
> > > >
> > > > The device running as a WPA protected AP is the ideal solution as the
> > > > device can be dropped in place then connected to whenever required.
> > > >
> > > > I've been talking to Marty about this and I don't think I've missed
> > > > anything obvious in trying getting this to work and he suggested I ask
> > > > here, see if anyone else has done anything like this or could suggest
> > > > anything to try.
> > > >
> > > > So, can anyone help?
> > > >
> > > > Robin
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Check out the new SourceForge.net Marketplace.
> > > > It is the best place to buy or sell services for
> > > > just about anything Open Source.
> > > > http://p.sf.net/sfu/Xq1LFB
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > > --
> > > Pieter Claassen
> > > Security Engineer - Benelux, Middle East & Africa
> > > ---------------------------
> > > SOURCEfire
> > > Siriusdreef 17-27
> > > 2132 WT Hoofddorp
> > > The Netherlands
> > > T +31 23 56 89 176
> > > F +31 23 56 89 111
> > > M + 31 646 112 805
> > > E  pieter.claassen () sourcefire com
>
>
>
> --
> Pieter Claassen
> Security Engineer - Benelux, Middle East & Africa
> ---------------------------
> SOURCEfire
> Siriusdreef 17-27
> 2132 WT Hoofddorp
> The Netherlands
> T +31 23 56 89 176
> F +31 23 56 89 111
> M + 31 646 112 805
> E  pieter.claassen () sourcefire com

------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users