I'm not sure what detail I should include in this post, as promiscuous mode confuses the hell out me from reading about it online. I'll just tell you about the setup I used to have before SSL encryption became common place, just so I can relate easier. Now one of the things I was reading about was how promiscuous mode doesn't work with a switched network. I used to have one of those popular Linksys WRT45G wireless router, which was connected to a Siemens Speedstream 4100 dsl modem. The computer (running Windows) that would be trying to monitor the iPod was hardwired to either one or the other, I can't remember. Would this setup mean the hardwired computer could intercept the iPod data because the modem is acting like a hub or something? The hardwired computer was using Realtek PCIe FE family controller (no idea what that is) and had Atheros AR9485 802.11 b/g/n wifi adapter that was disconnected. So is it the realtek thing that has to support promiscuous mode in this case? I read that Atheros wifi adapters usually support promiscuous mode but I suppose that only works if the computer is connected via wifi? That is all I can think of right now, if there is any additional info you need from me please let me know. Thanks asked 17 May '17, 11:37 annie093 |
One Answer:
There would be two ways of capturing the iPod's traffic:
For the first one, you'd capture on the Atheros adapter, in monitor mode. If your network is "protected", meaning it's using WEP or WPA/WPA2, and encrypting packets, you would have to follow the instructions in the Wireshark Wiki page on decrypting 802.11 traffic. In that case, the Atheros adapter would have to support monitor mode when running Wireshark; unfortunately, that's somewhat difficult on Windows - you'd need to install NPcap rather than WinPcap. For the second one, you would probably need to use a hub (a real hub, not a switching hub) with at least 3 ports. You'd plug the wireless router, the DSL modem, and the Windows PC into the hub and capture in promiscuous mode. That should work on Windows. You would need to use the hub because if either the wireless router or DSL modem has more than one Ethernet port, the Ethernet ports on the router/modem are probably on an internal Ethernet switch, so that you're on a switched network - and, no, promiscuous mode doesn't work on a switched network unless the switch supports "monitoring ports", and the cheap switches inside wireless routers and DSL/cable/etc. broadband modems usually don't support "monitoring ports". answered 17 May '17, 20:40 Guy Harris ♦♦ showing 5 of 8 show 3 more comments |
Well the router had Internet: One 10/100 RJ-45 Port LAN: Four 10/100 RJ-45 Switched
The modem had either an Ethernet and usb port or just an Ethernet port.
In any case, this would be acting as a switched network? You said it needs multiple Ethernet ports, but I'm not sure if the 4 LAN ports count. (sorry im a noob) It doesn't even matter if the computer was connected directly to modem and not the router? I searched through the manuals online and saw no mention of port monitoring as well.
So I also have another computer that is connected to the internet through just a cisco ae2500 usb adapter. If the hardware supports monitor mode, NPcap must be installed for it to work on windows. I assume promiscuous mode would not work since its not connected via Ethernet?
Thanks for the help.
Well, in the case of the router, what does "Switched" in the description of the LAN ports tell you? :-)
The modem has only one port, so it's not switched - there's nothing to switch between.
If the modem has only one Ethernet port, you can directly connect the computer to the modem, or you can connect the router to the modem, but you can't connect both - and if the router isn't connected to the modem, you wouldn't be able to have any traffic between the iPad and the Internet unless the modem itself can do Wi-Fi, but, in that case, there's probably no form of port mirroring to capture the Wi-Fi traffic.
Port monitoring tends to be an "enterprise" feature - the switches inside consumer equipment tends not to have it.
Promiscuous mode wouldn't work because 1) it's not sufficient on Wi-Fi and 2) Microsoft, at least at one point, required that the drivers for Wi-Fi adapters not support turning promiscuous mode on.
Forgive my noobiness, Guy. I'm trying to understand haha.
The model of modem I had may have also had a USB port. So in this scenario, both the router and the computer could have connected to the modem. Is it acting as a hub in this case? The computer can read all of what the router is transferring to the modem?
Wait, would I have even been able to accomplish this monitoring with a usb port? I'm just confusing myself now.
I found a manual for the SpeedStream 4100 and 4200 online. It sounds as if the USB port (in the 4200, so if you have a USB port, you probably have a 4200 rather than a 4100) appears, to the host, like a USB Ethernet adapter.
That doesn't mean it's actually an Ethernet - it just implements the same protocol, over USB, as an actual USB adapter, but the firmware in the modem that implements this may just take the packets sent to it over the USB port and send them over the DSL connection, and take packets received on the DSL port that are intended for the host on the USB port, and send them to the host, so that there's no Ethernet physical layer involved.
I suspect that it's not connected, at the Ethernet level, to the Ethernet port - i.e., that it's not acting as a hub - so you wouldn't be able to, on a machine plugged into the USB port, monitor traffic on the Ethernet port. You could try it, if you have a 4200, but I suspect it won't work.
I suppose its a moot point anyway, since we never connected through the usb port in my case.
Anyway, thanks for your help Guy. I feel like I understand much better now than I did before. :)
Sorry, another question.
I was looking at pictures, and the USB port doesn't look anything like the usb ports now. And its color coded blue. Do those old blue Ethernet cables easily connect into the usb port?
There are multiple types of USB connectors. The receptacles on a computer are mostly type-A receptacles; the SpeedStream manual says "USB Type B LAN connection (5200, 5500 series)", so it has a type-B receptacle, which definitely looks different from a type-A receptacle.
No. They're probably category 5, category 5E, or category 6 cables (which aren't "old" - they're still used), and the color probably doesn't mean anything (we have both blue and yellow category 5E cables i our house), and twisted-pair Ethernet cables use 8P8C connectors, sometimes called RJ-45, and those are different from USB connectors of any sort.
You'd use a cable with a type-A plug on one end and a type-B plug on the other end; it'd probably look like this.