Snooping the Router Traffic

Hi guys I want to know how we can sniff or watch all the traffic passing through router. What all softwares(free) available for it and how can we do it using PenTest OS like BackTrack. Please suggest option for both windows and Linux. And router and switches are not of cisco.

Also is there any method I can apply that all traffic pass through particular system? Thanks in advance.
Edited: Sorry I think I was not able to keep my question in right way...Diagram is just to show real scenario and not that I want to apply it on packet tracer.Router and switches are not of cisco.Router id of D-Link, and switch is also simple one which cannot be configured.

Also if I am using any sniffer like wireshark or cain and able , they work on particular interface (wireless or ethernet). But I want whole data capture.
Thank You

Capture.PNG

Find more posts tagged with

Comments

atorven

Check out Netflow, I doubt that it's supported in packet tracer.

OfWolfAndMan

I don't know of a way to do it with packet tracer, but Wireshark is the way to go.

https://www.wireshark.org/

If you happen to have a copy of GNS3, you can run packet captures on a particular interface as well (Assuming you have Wireshark installed). I would start by configuring OSPF on a router and learning about the different packet types (Database Description, Update, Hello, etc). That's just one example though. There are many packets to worry about in the wireshark world, but you'd be best to start out with the basics i.e. CDP, icmp echo/echo reply, DNS, ARP, etc.

Also, Windows, Mac OS and Linux all support wireshark. Cheers!

theodoxa

For Physical Equipment, your options are --

1. Connect a Cisco Switch in between and use SPAN/RSPAN to mirror the port to a port connected to a laptop running Wireshark, or
2. Buy a Dumb Hub and connect it in between; Connect a laptop running Wireshark to a different port.

GNS3 supports packet captures directly in the software. I don't know of any way to capture in Packet Tracer.

TechGuru80

As mentioned there are several non malicious ways. You can also use macof to flood the CAM table and then watch traffic on Wireshark. That would be more of a pentest method.

lrb

If you turn off CEF and use the debug ip packet detail **** command you can see some pretty verbose output regarding the packets transitting through the router.

E.g.

R2(config)#no ip cef
R2(config)#access-list 199 permit tcp host 1.1.1.1 host 5.5.5.5 eq telnet

R2#debug ip packet detail 199 ****
IP packet debugging is on (detailed) (****) for access list 199

And on host R1 (1.1.1.1) i type en to get to enable mode; i've highlighted the Telnet data

R2#
*Oct 1 05:39:42.284: IP: s=1.1.1.1 (Ethernet0/0), d=5.5.5.5 (Ethernet1/0), len 41, input feature
*Oct 1 05:39:42.284: TCP src=44456, dst=23, seq=3924420166, ack=366854021, win=4028 ACK PSH
B1685ED0: AABB CC000200 AABBCC00 01000800 *;L...*;L.....
B1685EE0: 45C00029 526C0000 FF065C97 01010101 E@.)Rl....\.....
B1685EF0: 05050505 ADA80017 E9E9E646 15DDBF85 ....-(..iifF.]?.
B1685F00: 50180FBC DBB00000 65 P..<[0..e , Policy Routing(76), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
...
R2#
*Oct 1 05:40:19.648: IP: s=1.1.1.1 (Ethernet0/0), d=5.5.5.5 (Ethernet1/0), len 41, input feature
*Oct 1 05:40:19.649: TCP src=44456, dst=23, seq=3924420167, ack=366854022, win=4027 ACK PSH
B1692860: AABB CC000200 AABBCC00 01000800 *;L...*;L.....
B1692870: 45C00029 526E0000 FF065C95 01010101 E@.)Rn....\.....
B1692880: 05050505 ADA80017 E9E9E647 15DDBF86 ....-(..iifG.]?.
B1692890: 50180FBB D2AF0000 6E P..;R/..n , Policy Routing(76), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

I've also removed some of the extra protocol overhead such as the ACK to acknowledge the telnet server echoing back everything I type.

HTH