# Sniffing router traffic

## simulacrum

I have a Linksys WRT54G wireless router, running the Sveasoft firmware. I'd like a way to dump the network traffic for other machines on the network. tcpdump/ngrep only sees traffic for the machine it's running on and broadcasts from other machines. 

I assume this is because the router is routing traffic for each machine and not allowing the other machines to see it. Is there a way to change the routing so that only my machine can see all the traffic on the router? The sveasoft firmware gives me console access to the router so I'm able to put in any iptables rules I'd like, but don't know how to accomplish what I'm trying to do. Any help would be appreciated, thanks.

----------

## adaptr

 *simulacrum wrote:*   

> I have a Linksys WRT54G wireless router, running the Sveasoft firmware. I'd like a way to dump the network traffic for other machines on the network. tcpdump/ngrep only sees traffic for the machine it's running on and broadcasts from other machines. 
> 
> I assume this is because the router is routing traffic for each machine and not allowing the other machines to see it.

 

That is pretty much a universal effect of using a router, yes.

 *simulacrum wrote:*   

> Is there a way to change the routing so that only my machine can see all the traffic on the router?

 

Not really, no - the whole point of a router is to divide traffic between separate ports.

 *simulacrum wrote:*   

>  The sveasoft firmware gives me console access to the router so I'm able to put in any iptables rules I'd like, but don't know how to accomplish what I'm trying to do. Any help would be appreciated, thanks.

 

If you are talking about true Linux iptables here then you can probably do some nasty tricks with the mangle table, but if you have an old Pentium lying around it would be far easier to insert it between the router and the modem and bridge the interfaces together. Run a packet sniffer / logger on it and connect a third interface back to your LAN.

The processing and storage can happen anywhere, so the intercepting box need not be all that fast.

----------

## ter_roshak

 *simulacrum wrote:*   

> I have a Linksys WRT54G wireless router, running the Sveasoft firmware. I'd like a way to dump the network traffic for other machines on the network. tcpdump/ngrep only sees traffic for the machine it's running on and broadcasts from other machines. 
> 
> I assume this is because the router is routing traffic for each machine and not allowing the other machines to see it. Is there a way to change the routing so that only my machine can see all the traffic on the router? The sveasoft firmware gives me console access to the router so I'm able to put in any iptables rules I'd like, but don't know how to accomplish what I'm trying to do. Any help would be appreciated, thanks.

 

Another option would be to perform a man-in-the-middle attack on your router and the machines that you want to get the traffic from.  A couple of good tools for this are ettercap and dsniff.  I wouldn't recommend trying this on any network but your own though.

----------

## simulacrum

 *Quote:*   

> Another option would be to perform a man-in-the-middle attack on your router and the machines that you want to get the traffic from. A couple of good tools for this are ettercap and dsniff. I wouldn't recommend trying this on any network but your own though.

 

Hey, that's something I hadn't considered. I'll give that a try tonight. Thanks!

----------

## adaptr

 *ter_roshak wrote:*   

> Another option would be to perform a man-in-the-middle attack on your router and the machines that you want to get the traffic from.  A couple of good tools for this are ettercap and dsniff.  I wouldn't recommend trying this on any network but your own though.

 

How is this another option than the transparent bridge I described ?

Calling it a man-in-the-middle attack is not really descriptive - it's not an attack.

----------

## ter_roshak

 *adaptr wrote:*   

>  *ter_roshak wrote:*   Another option would be to perform a man-in-the-middle attack on your router and the machines that you want to get the traffic from.  A couple of good tools for this are ettercap and dsniff.  I wouldn't recommend trying this on any network but your own though. 
> 
> How is this another option than the transparent bridge I described ?
> 
> Calling it a man-in-the-middle attack is not really descriptive - it's not an attack.

 

This method of data interception is an attack, whether you attack your own network or not.  This is an industry term.

Out of curiousity, what would you call it instead?

----------

## adaptr

Since the OP clearly describes being connected to a switch/router, the only way to sniff all traffic is to insert a transparent bridge between the router and the network.

There is no other way to capture all data.

It's called "sniffing".

----------

## ter_roshak

 *adaptr wrote:*   

> Since the OP clearly describes being connected to a switch/router, the only way to sniff all traffic is to insert a transparent bridge between the router and the network.
> 
> There is no other way to capture all data.
> 
> It's called "sniffing".

 

We have a difference of opinion that cannot be resolved through this forum.

----------

## adaptr

Agreed.

If there are no wired nodes on the LAN, reading through the various pieces of wardriving documentation could probably help the OP out.

(Wardriving = wireless AP sniffing)

----------

## bluedevils

If the router has iptables, then it should be able to do logging.  Most consumer routers I have seen will let you log to another machine (your gentoo box maybe?).  Does you router have options to do that?

BTW I also think I saw (didn't click on it) a google search mentioning linux on the WRT54G.  That might be an interesting subject to lookup.

----------

## darkphader

The problem is inherent to the nature of a switch. Traffic isn't broadcast to all of the ports, only to the port leading to the destination. With a high-end managed switch one can usually make it act more like a hub in order to sniff packets of the other ports. In this case the easiest, cheapest workaround would be to go buy a cheap little hub (not a switch), which used to be common when switches were expensive but are a bit hard to find these days, and plug all of the devices into it.

----------

## bluedevils

but wouldn't the caveat be that 

a) you still wouldn't get wireless traffic (I believe it is a wireless G router) and

b) you reduce the performance (unless there is only one computer attached) as a hub will bring the connection down to half duplex?

----------

## ter_roshak

 *bluedevils wrote:*   

> but wouldn't the caveat be that 
> 
> a) you still wouldn't get wireless traffic (I believe it is a wireless G router) and
> 
> b) you reduce the performance (unless there is only one computer attached) as a hub will bring the connection down to half duplex?

 

That sounds right.  Is the traffic wireless or a mixture or just wired?

----------

## darkphader

 *bluedevils wrote:*   

> but wouldn't the caveat be that 
> 
> a) you still wouldn't get wireless traffic (I believe it is a wireless G router) and
> 
> b) you reduce the performance (unless there is only one computer attached) as a hub will bring the connection down to half duplex?

 

Mostly correct. But concerning part (b) it's not just that the connection is half-duplex but that you will encounter collisions if the systems are rather busy. But on a practical scale, unless you have a lot of traffic (not really that typical in a home lan) there will be no noticeable impact . And it will allow you to sniff all of the lan traffic (even that to/from the wireless devices), the only traffic not sniffed would be wireless-wireless and wireless-gateway traffic.

----------

## simulacrum

Well I did take a stab at the Man in the Middle attack, so far without success, but I haven't tried terribly hard (been busy lately). My desktop has a wired connection to the router. I want to sniff the wireless traffic on the same router. I can't seem to poison the arp cache of my victim, which thus far has been my laptop running Win2k. I need to get a tcpdump like utility on my laptop, but I think that my wired ports and wireless are two different lans that are bridged and that may have something to do with my problems. 

To clarify my situation, I have a Linksys WRT54G wireless router. The router does run Linux, and I have a custom firmware to get access to a shell on it. I have limited command functionality, but one thing I do have access to is iptables. Thanks for the suggestions guys.

----------

## ter_roshak

 *simulacrum wrote:*   

> Well I did take a stab at the Man in the Middle attack, so far without success, but I haven't tried terribly hard (been busy lately). My desktop has a wired connection to the router. I want to sniff the wireless traffic on the same router. I can't seem to poison the arp cache of my victim, which thus far has been my laptop running Win2k. I need to get a tcpdump like utility on my laptop, but I think that my wired ports and wireless are two different lans that are bridged and that may have something to do with my problems. 
> 
> To clarify my situation, I have a Linksys WRT54G wireless router. The router does run Linux, and I have a custom firmware to get access to a shell on it. I have limited command functionality, but one thing I do have access to is iptables. Thanks for the suggestions guys.

 

Thanks for the update.  Good luck on getting it to work.

----------

