This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Man in the Middle attack on a Router?

2

To keep it simple: I want to capture ethernet traffic on my LAN. Its a mansion that we are in and am the admin. All we have is a 5yr-old Netgear router. It has four output ports. I am connected in one of them. I have already gone through the wiki: http://wiki.wireshark.org/CaptureSetup/Ethernet. I get what it says, but we dont use any switch or hub, and it doesn't mention any thing abt routers. Its just 4 of us connecting directly to the ADSL router. I wanna know who is using up the most bandwitdh. I cant afford to buy a switch or a hub. So, i was thinking abt the MITM attack.

But i have no idea, how any of these methods will work in case of a router, since i believe its more sophisticated and intelligent than a switch. So, need some advice or knowledge into this.

My objective is simple: I need to capture and explore the ethernet traffic on my LAN.

If MITM is not possible/suitable in my setup, please guide me to a more viable option.

asked 18 Aug '11, 02:18

nsantosh's gravatar image

nsantosh
31113
accept rate: 0%


2 Answers:

2

Your referring to an ADSL router. Please be aware that this is more than an (IP network) router. It is more a residential gateway, which means that:

  • It connects to the DSLAM in your local exchange
  • It performs NAT
  • It performs DHCP for your local network
  • It switches your local network
  • Might even do WiFi, VoIP, POTS, DECT (although that's in the newer models)

Note that these four connections are indeed switch ports. The other end of the switch is internal to the device, for it to provide DHCP, NAT and routing service over the DSL line.

So it's a question of can you manipulate the switch in your ADLS router? Does it allow 'ARP poisoning' or does it create havoc? You'll have to try out. Be aware that all traffic will be flowing through your connection and your platform, so this may offset/influence the very thing you want to measure.

answered 18 Aug '11, 04:07

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

@Jaap: You are right! It is a residential gateway and it performs NAT, DHCP, etc. So how can you say if the switch in the router can be manipulated (ARP poisoning)? Is it something dependent on the router's model? Router's model is Netgear wgr614 v7 btw.

And by "all traffic will be flowing through your connection and your platform", you mean it will flow thru the attacker's machine right? My machine in this case.

(18 Aug '11, 04:45) nsantosh

Note, your reply above should have been a comment to Jaap's answer not a "new answer". (I converted it to a comment -Guy Harris)

Arp poisoning (or spoofing) means fooling a machine about the location of another machine and making it send packets to another place where they are intercepted.

See here for more info.

(18 Aug '11, 08:18) grahamb ♦

0

I don't know that Wireshark is the tool you want for this job. What you really want is a switch/router monitor application.

I'd recommend something like Fluke Networks' FREE Switch Port Monitor, available from http://networking.flukenetworks.com/?elqPURLPage=607 - it talks SNMP, as do most DSL routers, and I've used it to track throughput on DSL routers from several different manufacturers.

If you're up for something a little more ambitious, you might also take a look at Multi-Router Traffic Grapher (MRTG), at http://oss.oetiker.ch/mrtg/ - this freeware product talks to a dizzying variety of network devices and produces very nice hourly/daily/weekly/monthly usage charts for each interface.

answered 19 Aug '11, 21:00

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%

edited 19 Aug '11, 21:05

If he ultimately wants statistics, yes, and the only thing he'll do with the traffic on the LAN is summarize it, Wireshark might not be the best tool.

If, however, he truly wants to "capture ethernet traffic on [his] LAN", and needs to see the traffic rather than just get summary statistics from it, the tools you mention don't look as if they'll help.

(20 Aug '11, 12:01) Guy Harris ♦♦