Options

Snooping the Router Traffic

vawkvawk Registered Users Posts: 4 ■□□□□□□□□□
Hi guys I want to know how we can sniff or watch all the traffic passing through router. What all softwares(free) available for it and how can we do it using PenTest OS like BackTrack. Please suggest option for both windows and Linux. And router and switches are not of cisco.


Also is there any method I can apply that all traffic pass through particular system? Thanks in advance.
Edited: Sorry I think I was not able to keep my question in right way...Diagram is just to show real scenario and not that I want to apply it on packet tracer.Router and switches are not of cisco.Router id of D-Link, and switch is also simple one which cannot be configured.

Also if I am using any sniffer like wireshark or cain and able , they work on particular interface (wireless or ethernet). But I want whole data capture.
Thank You

Comments

  • Options
    atorvenatorven Member Posts: 319
    Check out Netflow, I doubt that it's supported in packet tracer.
  • Options
    OfWolfAndManOfWolfAndMan Member Posts: 923 ■■■■□□□□□□
    I don't know of a way to do it with packet tracer, but Wireshark is the way to go.

    https://www.wireshark.org/

    If you happen to have a copy of GNS3, you can run packet captures on a particular interface as well (Assuming you have Wireshark installed). I would start by configuring OSPF on a router and learning about the different packet types (Database Description, Update, Hello, etc). That's just one example though. There are many packets to worry about in the wireshark world, but you'd be best to start out with the basics i.e. CDP, icmp echo/echo reply, DNS, ARP, etc.

    Also, Windows, Mac OS and Linux all support wireshark. Cheers!
    :study:Reading: Lab Books, Ansible Documentation, Python Cookbook 2018 Goals: More Ansible/Python work for Automation, IPSpace Automation Course [X], Build Jenkins Framework for Network Automation []
  • Options
    theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    For Physical Equipment, your options are --

    1. Connect a Cisco Switch in between and use SPAN/RSPAN to mirror the port to a port connected to a laptop running Wireshark, or
    2. Buy a Dumb Hub and connect it in between; Connect a laptop running Wireshark to a different port.

    GNS3 supports packet captures directly in the software. I don't know of any way to capture in Packet Tracer.
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
  • Options
    TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    As mentioned there are several non malicious ways. You can also use macof to flood the CAM table and then watch traffic on Wireshark. That would be more of a pentest method.
  • Options
    lrblrb Member Posts: 526
    If you turn off CEF and use the debug ip packet detail **** command you can see some pretty verbose output regarding the packets transitting through the router.

    E.g.

    R2(config)#no ip cef
    R2(config)#access-list 199 permit tcp host 1.1.1.1 host 5.5.5.5 eq telnet

    R2#debug ip packet detail 199 ****
    IP packet debugging is on (detailed) (****) for access list 199


    And on host R1 (1.1.1.1) i type en to get to enable mode; i've highlighted the Telnet data

    R2#
    *Oct 1 05:39:42.284: IP: s=1.1.1.1 (Ethernet0/0), d=5.5.5.5 (Ethernet1/0), len 41, input feature
    *Oct 1 05:39:42.284: TCP src=44456, dst=23, seq=3924420166, ack=366854021, win=4028 ACK PSH
    B1685ED0: AABB CC000200 AABBCC00 01000800 *;L...*;L.....
    B1685EE0: 45C00029 526C0000 FF065C97 01010101 E@.)Rl....\.....
    B1685EF0: 05050505 ADA80017 E9E9E646 15DDBF85 ....-(..iifF.]?.
    B1685F00: 50180FBC DBB00000 65 P..<[0..e , Policy Routing(76), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    ...
    R2#
    *Oct 1 05:40:19.648: IP: s=1.1.1.1 (Ethernet0/0), d=5.5.5.5 (Ethernet1/0), len 41, input feature
    *Oct 1 05:40:19.649: TCP src=44456, dst=23, seq=3924420167, ack=366854022, win=4027 ACK PSH
    B1692860: AABB CC000200 AABBCC00 01000800 *;L...*;L.....
    B1692870: 45C00029 526E0000 FF065C95 01010101 E@.)Rn....\.....
    B1692880: 05050505 ADA80017 E9E9E647 15DDBF86 ....-(..iifG.]?.
    B1692890: 50180FBB D2AF0000 6E P..;R/..n , Policy Routing(76), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

    I've also removed some of the extra protocol overhead such as the ACK to acknowledge the telnet server echoing back everything I type.

    HTH
Sign In or Register to comment.