Hello, I am looking at the feasibilty of using Wireshark to passively monitor my WAN traffic. I am particularly interested in seeing if I have traffic going to US states (or even foreign destinations) where we have no reason to be comunicating with. I have not used Wireshark before, but a quick study shows it will easily give me the endpoint addresses I seek. I am trying to determine what hardware I need to put in place as well as quickly get up the learning curve. The hardware config is simply a DSL modem that connects to a router via a Cat5 cable. TWO QUESTIONS: What hardware device do I need to get wireshark passively patched in and capturing all WAN traffic without interfereing with the WAN link? I have a JMicron PCI Express Gigabit Ethernet Adapter in a notebook I can dedicate to the monitor process. How can I determine if this can be used with WireShark for passive monitoring? Any suggestions for smarter/better ways to handle this would be welcome! I appreciate any help that you might offer to a WS newbie!!! Thanks! Bruce asked 31 Oct '13, 18:54  Bruce52 edited 31 Oct '13, 19:02 |
One Answer:
Forget about that, seriously! Even after what we have learned in the last couple of months, about the NSA and secret backdoors, that might have been placed in products (routers etc.), especially if they are manufactured by US companies, you won't see any traffic to the NSA headquarters or anywhere else, as that would be ways to easy to detect. Chances are much better to see traffic from an infected PC in your network, that tries to contact its C&C server. Anyway, if there is a backdoor in your router it will certainly be triggered by a special byte sequence from the outside, like: 'sesame open your doors, I'm your master' (at least I would have chosen that as a 'door opener' ;-)) Nobody knows if there is a backdoor in your router and manufactures are obviously forced to silence about that issue - otherwise --> prison (see the Lavabit case, where the owner of the company was not even allowed to talk with this lawyer about all details. wow! ). So, (hypothetically) if your router sees a packet (ICMP, IP, UDP, TCP - who knows what) with that string, it might open a secret management interface or shell access for the sender IP address. So, you will only see that kind of traffic if you are already being monitored because you are on one of those terror and/or "axis of evil" lists of whatever TLA (CIA, NSA, WTF, etc.). However: In that case I would be really scared if I were you and wouldn't care too much about monitoring that traffic! ;-)) Anyway: If you really want to monitor that traffic.
Method 1: HUB or switch with port mirroring/monitoring Method 2: Wireshark PC with two interfaces, configured as a bridge. Regards answered 01 Nov '13, 06:33  Kurt Knochner ♦ |
Note that neither Wireshark, or tshark, is suitable for long term monitoring. Both applications build up state about the traffic and will eventually run out of memory, the rate at which this happens depends on the traffic and any capture filters you apply.