[ale] OT Linksys primiscuous mode

krwatson at cc.gatech.edu krwatson at cc.gatech.edu
Mon Dec 21 10:00:41 EST 2009 

> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> jtholmes
> Sent: Sunday, December 20, 2009 17:42
> To: Atlanta Linux Enthusiasts - Yes! We run Linux!
> Subject: [ale] OT Linksys primiscuous mode
> 
> 
> 
> My Linux machine plugs directly into one of the four ports
> on a Linksys WRT54G router and I can see any traffic to and
> from my other machines. Which probably makes sense as
> the router is not telling all ports what is coming and going
> from each individual port.
> 
> Is there any way (short of putting a hub or switch in front
> of the Linksys) to capture all packets going into and out of
> the Linksys.
> i.e. a promiscuous mode setting in the Linksys.
> 
> I have looked and can't find such an option.

There is no direct way of doing port spanning on the WRT54G however, there are two methods I know of that will get you access to all the traffic.

The first and easiest is to arp cache poison the switch, ettercap works well for this.

The second method is to install dd-wrt. Other open source third party operating systems for the WRT54G may also work. Make sure that the version of your WRT54G is supported.

http://www.dd-wrt.com/

Once you have dd-wrt installed you can do a poor man's port spanning by entering a IP tables rule that will forward all traffic on the router to specific IP address. 

When I first tried this it didn't work due to a known bug in the version of dd-wrt I was using. When I upgraded to the latest version it worked fine.

This will route all traffic on the box to 192.168.1.254

iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.254 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.254 --tee

Here are a couple of links discussing it:

wrt610n broadcom switch monitoring / mirroring / span ?
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=330802&sid=0d9a355968ba80702026c3bc81b28e97

http://preview.tinyurl.com/yewmfxu


iptables --tee for port mirroring
http://www.showeq.net/forums/showthread.php?t=6240


DD-WRT and IDS
http://jcmulle-blog.mullenixdotcom.com/2008/03/dd-wrt-and-ids.html


DD-WRT Iptables commands
http://www.dd-wrt.com/wiki/index.php/Iptables_command



keith

-- 

Keith R. Watson                        Georgia Institute of Technology
Systems Support Specialist IV          College of Computing
keith.watson at cc.gatech.edu             801 Atlantic Drive NW
(404) 385-7401                         Atlanta, GA 30332-0280

More information about the Ale mailing list