PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

WRT54G Mirror Port

From: dninja at gmail.com (Robin Wood)
Date: Fri, 15 Jan 2010 01:06:18 +0000
I might have a go at making one then, sounds like a bit of fun. I'll
get hold of two USB NICs as well so I've got a pair of inputs. I like
the idea of using bridging to bring the two back together so you can
see the complete flow as well.

Robin

2010/1/15 Robert Miller <arch3angel at gmail.com>:

I did a network tap similar to the two shown in the links from hackaday and
instructibles.? The way I did it was with 4 ports, one to the router, modem,
whatever faces the internet.? Then behind that I split the RX and TX into 2
separate ports, then the forth one when to the device i wanted to sniff.
Now the question I got asked is how do I use the data...

I had a server with 3 NIC, but could have been 2 but I was lazy and wanted
to reach it from my desk and not stand in the datacenter all day.? One
interface was access to corp network normal operations for Mr. lazy!? The
other 2 were doing absolutely nothing but tcpdump, I had two terminals open
each running tcpdump to a file that I named something related to the
interface name so I knew which was TX and which was RX.? Then i open the
captures in wireshark or your favorite packet tool.

I also reformated the server and installed OSSIM having OSSIM watching for
anything just as you would if it was mirror a port or inline on a network.

I was in a hurry so my wires did get untwisted but that did not seem to be
the issue, my issue was the amount of data the server could process and
log.? It seems 14,000 packets a second tends to fill up the hard disk space
fast with default settings :-)? I never dropped a packet due to the make
shift tap though.

- Robert
(arch3angel)

On 1/14/2010 3:24 PM, Sam Buhlig wrote:

To be honest, I dont know how you would do it on only 3 of them. Because if
your computer that is doing the sniffing has anything hooked up at all to
the transmit side.....collisons....broadcast from the sniffing
box.....attenuation (hope that is spelled right) issues....

I do it with 2 nics and bond them together? and the way they are connected
to the box that is sniffing; it wont allow them to transmit. They are only
connected to 2 and 6 on both nics. Which should only allow to receive.

If someone else has any thoughts....throw them on here because I would like
to know.



As far throughput issues....have not seen any. I kept the twists as tight as
possible. Keeping the loss to a minimum.


Thanks,
Sam


On Thu, Jan 14, 2010 at 11:01 AM, Robin Wood <dninja at gmail.com> wrote:


2010/1/14 Sam Buhlig <sbuhlig at gmail.com>:

Just another possible work around for you might be building a passive
tap.

http://hackaday.com/2008/09/14/passive-networking-tap/


This article builds a device with two ports for tapping each direction
but then this instructables does a similar things with just a single
tap port.


http://www.instructables.com/id/Make_a_Passive_Network_Tap/step7/close-it-up/

What would be the advantage of having the two ports over having just a
single port?

There is also discussion about untwisting the cables and debate over
whether such short lengths of untwisted cable would make any
difference to throughput, can anyone comment on this?

Robin



or....

cinci2600.com/wp-content/uploads/2009/01/passive-taps.odp

(that is the one I followed)

It is not as clean as being able to span a port, but a good way to do it
on
the cheap.

Hope this helps.

Later,
Sam

On Thu, Jan 14, 2010 at 8:16 AM, Paul Asadoorian <paul at pauldotcom.com>
wrote:


From all the research that I did on the WRT54G (and similar hardware
like the ASUS) this was not possible. ?I believe that I read somewhere
that it was possible on some of the hardware, but that the drivers did
not support it.

If you find that it does, let us know!

Cheers,
paul

On 1/13/10 7:39 PM, Cody Dumont wrote:

Can you setup a mirror or SPAN-Port using a OpenWRT on the ASUS or
WRT54G?

thanks all..

Note: This message and any attachments is intended solely for the use
of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure. ?If you are not the
intended
recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly
prohibited. ?If
you have received this communication in error, please notify the
original
sender immediately by telephone or return email and destroy or delete
this
message along with any attachments immediately.

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


--
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: