Network pass-through ports w/ total data collection (2 ports on PC - in-out/out-in)

Toggle sidebar Toggle sidebar
G

grepawking

Junior Member
Mar 8, 2014
12
0
61
I know that it is possible to sniff networks with a single connection but I'm wondering if it is possible to use 2 network cards on a computer and have all the data flow through it, basically like a router, but have it retain all the data in a searchable format like tcpdump or wireshark.

Can this be done with consumer routers?
 
dave_the_nerd

dave_the_nerd

Lifer
Feb 25, 2011
16,992
1,620
126
With a consumer linux-based router, you can set up an IPTables rule that will copy all traffic to a specific IP address, and then sweep it up with something like Snort. Is that what you're after?
 
G

grepawking

Junior Member
Mar 8, 2014
12
0
61
dave_the_nerd said:
With a consumer linux-based router, you can set up an IPTables rule that will copy all traffic to a specific IP address, and then sweep it up with something like Snort. Is that what you're after?
Click to expand...

Yeah, that sounds pretty much what I'm looking for. Is there any benefit to passing it all through a computer, like a proxy, placed in-line on the WAN side of the router (I'm guessing with full Duplex dual NIC's may not be necessary).

I would be using Linux for this in any case. I just want to make sure that running something like wireshark or tcpdump doesn't miss something.
 
dave_the_nerd

dave_the_nerd

Lifer
Feb 25, 2011
16,992
1,620
126
grepawking said:
Yeah, that sounds pretty much what I'm looking for. Is there any benefit to passing it all through a computer, like a proxy, placed in-line on the WAN side of the router (I'm guessing with full Duplex dual NIC's may not be necessary).
Click to expand...

That's not what duplex is for. If you have a device that's inline between the WAN and your router, it would need to have dual NICs.

I would be using Linux for this in any case. I just want to make sure that running something like wireshark or tcpdump doesn't miss something.
Click to expand...

It wouldn't miss anything either way, if you've got the router configured properly.

If you've got a traffic capture/logger set up in between your router and the rest of the network (on the WAN side) you've got, theoretically, an intrusion detection system - you could set up traffic rules, do deep packet inspection, and otherwise protect your network.

http://ptgmedia.pearsoncmg.com/images/0131407333/downloads/0131407333.pdf

If you're just trying to log traffic for creepy stalker purposes, you can just do it side-band - set up something called "port mirroring" on the router to direct a copy of all IP traffic to your logging machine as well, whatever you use. If your router is linux based, or if you've installed DD-WRT on it, then you can just SSH or telnet into the thing and set up an iptables rule that works the same as port mirroring.

Example: http://darrelsbrain.blogspot.com/2013/01/how-to-enable-mirroring-on-asus-rt-n66u.html
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom