loumeinhart 0 #1 October 13, 2012 I've been all over the wiki's/manuals but I'm getting hung up: here's ehat I'm trying to do: wireshark packets from a device connected to a buffalo router. PC is also directly connected to router DD-WRT 2.6.34.8 svn16372 (buffalo router 300H) BusyBox 1.13.4 wireshark1.6.11 used these commands to view traffic between the device and my adapter .. I think ? iptables -t mangle -A POSTROUTING -d 192.168.10.23 -j ROUTE --tee --gw 192.168.10.28 iptables -t mangle -A PREROUTING -s 192.168.10.23 -j ROUTE --tee --gw 192.168.10.28 verified with iptables -nvL after this change, wireshark picks up nothing I imagine it's something with linux networking.. In the meantime there are many things to look at but I thought maybe there's a skyjumper out there who's familiar with this.. Quote Share this post Link to post Share on other sites
theonlyski 3 #2 October 13, 2012 The router has a built in switch, generally speaking only traffic destined for the computer on that port is switched to that port. Try finding an old hub and plugging both computers into it and the uplink cable to the router. "I may be a dirty pirate hooker...but I'm not about to go stand on the corner." iluvtofly DPH -7, TDS 578, Muff 5153, SCR 14890 I'm an asshole, and I approve this message Quote Share this post Link to post Share on other sites
loumeinhart 0 #3 October 14, 2012 Correct, so I guess I was trying to bridge two ports together? Since most 'hubs' are switches I'm probably going to try connecting 2 female RG45s to 1 piece of cat5. Please don't laugh. I guess it would then truly be the same collision domain? Quote Share this post Link to post Share on other sites
jsaxton 0 #4 October 14, 2012 hope you saved an old hub somewhere, or if you have a good enough router you can do port mirroring. Quote Share this post Link to post Share on other sites
theonlyski 3 #5 October 14, 2012 QuoteCorrect, so I guess I was trying to bridge two ports together? Since most 'hubs' are switches I'm probably going to try connecting 2 female RG45s to 1 piece of cat5. Please don't laugh. I guess it would then truly be the same collision domain? While you can run 2 ports on one cable, they won't be on the same collision domain on a switch. That's the exact purpose of a switch. What are you trying to accomplish?"I may be a dirty pirate hooker...but I'm not about to go stand on the corner." iluvtofly DPH -7, TDS 578, Muff 5153, SCR 14890 I'm an asshole, and I approve this message Quote Share this post Link to post Share on other sites
FlyingRhenquest 1 #6 October 14, 2012 If you're running wireshark on the Linux box, try using ifconfig to put its network card into promiscuous mode. I seem to recall that working, back when I used to do that sort of thing on a regular basis. You probably could set all your packets to go through the machine that's running wireshark, but routing games like that always give me a headache.I'm trying to teach myself how to set things on fire with my mind. Hey... is it hot in here? Quote Share this post Link to post Share on other sites
loumeinhart 0 #7 October 14, 2012 jsaxton, flying R, thank you guys I've been drifting in the port mirroring direction. It's amazing to me how complex this is. Currently I'm hashing out the physical interfaces on this router. this link (among many others including dd-wrt forum) is helping a bit http://www.tipsternet.com/articles/dd-wrt_buffalo.html btw where the hell is Kelly? Quote Share this post Link to post Share on other sites
The111 0 #8 October 14, 2012 Quote If you're running wireshark on the Linux box, try using ifconfig to put its network card into promiscuous mode. I seem to recall that working, back when I used to do that sort of thing on a regular basis. You probably could set all your packets to go through the machine that's running wireshark, but routing games like that always give me a headache. Or he could ARP poison his own network and get packets headed for the other device that way... I think. www.WingsuitPhotos.com Quote Share this post Link to post Share on other sites
loumeinhart 0 #9 October 14, 2012 spoofing ARP is still on the table, but I don't have access to the device I'm sniffing (to configure a gateway .. ) I think.. I'm going to make tcpdump logs and try from there Quote Share this post Link to post Share on other sites
loumeinhart 0 #10 October 14, 2012 tried arp poison with ettercap then had trouble adding hosts to the adapter running on the XP wireshark PC. So I tried installing ettercap on a win7 machine and got .dll errors. So, like the Cleve Browns, I gave up. ftpd a tcpdump pcap from the router. Seems to open just fine in wireshark now what's with all these 1's and 0's ?? Quote Share this post Link to post Share on other sites
huge 0 #11 October 14, 2012 Quote Correct, so I guess I was trying to bridge two ports together? Since most 'hubs' are switches I'm probably going to try connecting 2 female RG45s to 1 piece of cat5. Please don't laugh. I guess it would then truly be the same collision domain? On 10BASE-2 all ports would be on the same collision domain, but based on the cable you are using something different. 10BASE-T and later generations are all point-to-point. You can "tap" into those as well, but it isn't as straight-forward as just wiring in extra connectors. As you already noticed, "tcpdump -w" along with Wireshark is probably the easiest way to get it done Quote Share this post Link to post Share on other sites
theonlyski 3 #12 October 15, 2012 Quotespoofing ARP is still on the table, but I don't have access to the device I'm sniffing (to configure a gateway .. ) I think.. Again, what exactly are you trying to do?"I may be a dirty pirate hooker...but I'm not about to go stand on the corner." iluvtofly DPH -7, TDS 578, Muff 5153, SCR 14890 I'm an asshole, and I approve this message Quote Share this post Link to post Share on other sites