On Thursday 01 May 2003 8:30 pm, Darryl Hoar wrote:
> Well,
> thats for the last responses. I'm still a newbie.
>
> Here is my setup.
> I have a machine configured as firewall/nat/router that has two nics.
> One nic is connected to my internal LAN. The other is connected
> to my SMC ADSL modem.
>
> My first attempt was to plug my ADSL modem into a spare 3com 3c1611
> 10/100 hub. I plugged the firewall/nat/router into another of the ports.
> Lastly, I plugged my notebook running ethereal into another port.
>
> I could monitor the packets between the firewall/nat/router and the
> ADSL modem. Unfortunately, I could not see any of the internal
> source ip's (192.168.1.x).
>
> So, I then plugged the ADSL modem back directly into the
> firewall/nat/router nic. I plugged the hub into the LAN. Then
> connected the firewall/nat/router, notebook running ethereal
> into the hub.
>
> Now I can see the internal traffic, but can't see the external bound
> traffic.
>
> what am I missing here? I'm sure its a total newbie thing.
No, it's a tricky one. You're trying to capture on two nets at the same time.
The "proper" way to do this is to use two ethereal machines with synchronised
clocks, or one machine with two copies of ethereal running to two different
NICs. Then run mergecap to merge the two capture files. I am guessing that
you don't have the resources to do that.
Normally it's not possible to do it with a single capture, but I think, in
this case, and for short periods, there is a way. There may be a security
risk, so only do this when you have to analyse the netwok.
Set the modem to run at 10Mbps, and _everything_ else to run at 100, then plug
everything, including both ports of the NAT machine into the hub. The hub
will switch the traffic to the modem, so it will only see the traffic that it
is supposed to, but the ethernet machine will see it all.
NAT to modem goes in at 100Mbps
modem to NAT goes out at 100Mbps
NAT to and from LAN is at 100Mbps
So the ethereal machine will see all the traffic. (As will all the machines
except the modem, which will only see traffic addressed to it.)
If you don't set the modem to 10Mbps all your LAN traffic will go out onto the
Internet, annoying your ISP and creating a bigger security risk.
This is a dirty hack. So far as I can see it should work, but it may not. For
example, broadcast traffic, including ARP packets will get to the modem, and
may escape into the Internet. Something out there might respond to them and
confuse your network. It may be possible to hack your network from the
Internet with this setup. It may annoy your ISP, they may see it as a hacking
attempt.
--
Richard Urwin