Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Wireless Networking Hardware

Build an Open Source Network Sniffer 99

An anonymous reader writes "This article reviews common issues of wireless security, and shows how to use open source software to suss out wireless networks, get information about them, and start recognizing common security problems. You will learn how build a lightweight wireless sniffer that runs on open source software and see how simple it is to interact with wireless networks."
This discussion has been archived. No new comments can be posted.

Build an Open Source Network Sniffer

Comments Filter:
  • What I really want (Score:5, Interesting)

    by nizo ( 81281 ) * on Monday January 17, 2005 @03:34PM (#11388554) Homepage Journal
    Rather than yet another wireless sniffing tool, what I really want is a linux firewall that sits between my wireless router and the rest of the world that tosses traffic from unauthenticated IP addresses (you could authenticate with, say, ssh or perhaps by hitting an SSL protected web form). Until the newly connected machine authenticates itself the firewall would squelch all outgoing traffic. It seems like this wouldn't be too hard to write, but before reinventing the wheel has anyone heard of such a thing? It would at least help keep random people from using our wireless network to surf the web (it is already outside of our firewall to help protect the rest of our network). I am all for allowing freebie wireless access to the masses, but I am not too keen on letting Joe Wardriver download kiddie porn from our work DSL either. This kind of tool seems like it would be useful to use in conjunction with a lowend wireless router.
    • Why not (Score:1, Insightful)

      by Anonymous Coward
      just get a WPA-enabled wireless router?
      • Better yet (Score:1, Insightful)

        by Anonymous Coward
        WPA w/ a radius server running on that linux box.
      • short answer: they're not as available as they should be.
        • Re:Why not (Score:3, Informative)

          by Directrix1 ( 157787 )
          Exactly so here is my method to solve this problem:
          * Buy wireless AP and a linux box with 2 NICs
          * Hook one NIC to your network the other NIC to the wireless AP
          * Download and install OpenVPN on your linux box
          * Setup iptables to DROP all packets being forwarded from the outside NIC to the inside and vice versa:

          # Assuming:
          # * eth0 is the outside NIC
          # * eth1 is the inside NIC
          # * Default iptables policy is ALLOW
          # * Your linux kernel supports iptables,
          # and routing
          iptables -A FORWARD -i eth0 -j DROP
          iptables -
    • by ZiZ ( 564727 ) * on Monday January 17, 2005 @03:37PM (#11388599) Homepage
      What you really want is something like NoCatAuth [nocat.net] (described nicely by this article [oreillynet.com]. There are plenty of other similar solutions out there - look for 'linux wireless authentication gateway' or something similar on your favorite search engine [google.com].
    • by heavy snowfall ( 847023 ) on Monday January 17, 2005 @03:44PM (#11388667) Journal
      Try ipcop [ipcop.org], it can split off your network into a wireless part and a wired part, and even add a third zone for public servers. The wireless part defaults to not giving access to either the internet or your other, wired computers, and you have to add mac addresses to a table for wireless clients to be able to connect. And it has nice graphs too, so you can see if someone's using your connection. Use this with WPA and vpn maybe. If you want more security, use wired lan instead.
      • by nizo ( 81281 ) * on Monday January 17, 2005 @03:50PM (#11388714) Homepage Journal
        ...add mac addresses to a table for wireless clients...

        Sadly this isn't very secure, since mac addresses can be faked (my wireless router already has this feature built-in). However it looks like ipcop has other types of authentication too [Version 0.2 of IPCop will include an Amber Zone (Wireless DMZ) which will support CIPE, IPSec or VPNd encrypted connections among other things] so I will check it out :-)

        • I know they can be faked, but it's still much better that if someone wants access to your network, they have to spend some time trying to figure out your mac and ip addresses than not, IMO.

          It's more of a deterrent than an unbreakable security measure, but add enough deterrents and that wardriver might just use your neighbours unsecured network instead.

          And if they manage to get access, they still have to crack an iptables firewall to get to your servers. Good enough for me.
          • by Peyna ( 14792 )
            Considering the number of entirely open networks out there, I expect most people will just drive onto the next one unless they know you have something valuable on your network that they really want. For the average home user, WEP + MAC Address filtering is enough security to make the wardriver go to the next house. If you're a business with your name on the outside of the building though, you might have people that will be willing to try a little more to get access to your network.

            (I did this when I firs
        • I wouldn't use CIPE. Unless something has dramaticly changed, it has some major problems. Please see:

          http://diswww.mit.edu/bloom-picayune/crypto/14238

          and

          http://www.politechbot.com/pipermail/politech/2003 -September/000038.html

          They may have fixed this. I dunno, since the reaction of people on the list to this analysis made me write the whole thing off and unsubscribe.


      • The problem with IPCop and Smoothwall for that matter, is the inability to filter traffic outbound. All traffic originating on the "Green" (inside or internal) interface is permitted. Nachia and Slammer will fly right through this config. Any worm or virus or trojan that tries to use TFTP to download more tools will also be successful.

        Permitting only the traffic that needs to traverse a firewall IN ALL DIRECTIONS is a basic firewall/security concept.
        • Let me clarify my last post. If a machine on your IPCop/Smoothwall protected network is compromised, then any outbound connections that these worms/virus/trojans/attackers make, will successfully traverse the firewall.

          In the case of a worm like Slammer, it will be able to further propogate, Nachia will be able to flood your ISP connection, an attacker will be able to download a toolkit, etc...
        • The problem with IPCop and Smoothwall for that matter, is the inability to filter traffic outbound.

          But one of the neat things about IPcop is that it's one of them open source things. So while youre quite correct that the pretty GUI doesnt have an interface for egress filtering, you *can* hop into the shell and add in the iptables commands of your choice.
          • But one of the neat things about IPcop is that it's one of them open source things. So while youre quite correct that the pretty GUI doesnt have an interface for egress filtering, you *can* hop into the shell and add in the iptables commands of your choice.

            True. And I have done this with my own Smoothwall box. It would be nice to have this in the GUI. I believe it must be there before either of these firewall packages can claim that they can/should be used in business enviornments as is.

            To answer
      • You know, I really like the look of IPCop, but one thing I didn't see when I looked at the manual and screenshots is support for outbound traffic rules. I like to deny all outbound traffic by default, and then enable particular services from particular boxes (such as POP to my ISP's mail server, HTTP/S from my LAN Squid box, etc.)

        For the life of me, I can't see where you'd codify that in IPCop. It seems to assume that the only traffic that needs to be regulated is inbound traffic. Prove me wrong and I'll

        • Outbound traffic is called 'egress filtering' (yes, you need to know that so that you know what to google for ;) )

          And yes, it is possible through the iptables stateful firewall (older version used ipchains).

          If you don't like managing your firewall rules by hand, there are plenty of perl scripts (bash shell scripts can be klunky and slow) to manage this for you.

          This is also one method to add the myriad of anti-peer-to-peer addresses that keep growing day by day.

          I love IPCop, and not just because Phil is
    • by john_g_galt ( 522650 ) on Monday January 17, 2005 @03:46PM (#11388685)
      Sounds like you like something like this [sourceforge.net]?

      From the website above:

      "NetReg is an automated system that requires an unknown DHCP client to register their hardware before gaining full network access. Through a simple web interface, the client is prompted for their user identification. Powerful scripts then retrieve the client's network fingerprint and store it along with the user's information in a database. The database provides administrators with real-time information for troubleshooting and auditing their networks. The entire system was developed utilizing unmodified, open-source servers and in-house developed CGI programs."
      • Interesting, I did search for "authenticated DHCP" earlier but didn't find this for some reason. I currently allow the wireless router to act as the DHCP server, but it has the option to allow another host to do this. Thanks for the link!
        • No problem. I remembered it from a Sys Admin magazine a while back, so I think it's been in production for a few years and is probably fairly stable. That said...I've never used it ;)
    • by Anonymous Coward
      Have you looked into PublicIP [publicip.net]? It's easy to set up and runs off a live distro.
    • You can accomplish what you want with VPNs. The WAP exists in a little isolated world along with a VPN server. Clients connect to the AP and have to log in to the VPN in order to go anywhere "real."

      The particular choice of VPN client/server software depends on the types of clients you'll want to allow, etc.

    • How about a plain apache+ssh/whatever authentication server with a form (php or whatever) that calls a script to add an iptables rule? seems simple enough to me...
    • This might do what you want:

      http://openbsd.org/faq/pf/authpf.html [openbsd.org]

    • by Jjeff1 ( 636051 )
      What you've described is exactly what MIT uses on their network. They have a large number of both wireless and wired access places. I'd assume some googling on their site might get you a little information.
      Attach a forgeign computer and it prompts you to login. Non MIT users are prompted for name and email and only allowed 15 days access per year.
      Apparently they key everything via MAC address. I let a friend borrow my old wireless NIC, when he went to register it welcomed ME back. I hadn't used the NIC
    • did it with samba.

      mount network drive -> add a few entries in the firewall
      unmount -> remove entries

      works a treat when all your tables are default drop ;)
    • Sounds like what you really need is FreeRADIUS on the Linux box, and WPA on the wireless router.

      Assuming you were looking for accomplishing all of that and didn't care whether the buzzword "firewall" was involved.
  • Network "sniffer"? (Score:5, Interesting)

    by ZiZ ( 564727 ) * on Monday January 17, 2005 @03:34PM (#11388562) Homepage
    While this tool that TFA references and builds is a pretty neat interface to viewing broadcast-SSID access points, I don't think it really qualifies as a 'sniffer', because it doesn't deal at all with sniffing packets, detecting non-broadcast-SSID access points, or anything along those lines.

    It is, however, a pretty neat text-only interface to enumerate broadcasting APs, and honestly, the code for the interface makes for more interesting examination than the code for the 'sniffing'.

  • by Anonymous Coward on Monday January 17, 2005 @03:40PM (#11388621)
    Has anyone actually looked at the cost of commercial "Sniffer" devices? Network General (Formally Network Associates) sells a version that is outragiously priced. Granted, it does have additional functionality, but all you need is a Sniffer. I wonder how a company can sell such a half-assed product, and why people would still buy it. Ethereal is a really nice "free" program to use, and there are many other ways to get a NIC to display everything flowing through it.
    • by dustinbarbour ( 721795 ) on Monday January 17, 2005 @04:15PM (#11388930) Homepage
      I'm part of a federally-funded research team working on wireless security and internet forensics and we use AirMagnet [airmagnet.com] to sniff packets.
      • ...federally-funded...AirMagnet...

        Um... ya, I'm guessing when the parent poster said "outragiously priced" they had products just like yours in mind. I mean, if the price *isn't even listed* on their website then you probably can't, or don't want to, afford it.
    • by Anonymous Coward
      The reason Network General sells Sniffer as software so well is the functionality that is built in, but also the assurnce that it works as advertised with the supported NICS.

      Distributed sniffer sells because it can keep up with it's rated capacity, 2GB/s (the one I use) without dropping a single frame and the pre/post filters are great for slicing and dicing data. I can get to it from almost anywhere, and I don't have to monkey with it.

      I am very grateful for the work done in open source projects and I sup
  • by thegnu ( 557446 ) <(moc.liamg) (ta) (ungeht)> on Monday January 17, 2005 @03:42PM (#11388642) Journal
    I have bookmarked it. This is the kind of crap I love. I just today acquired a Cassiopeia E100 for free, and I'm going to a)install Linux on it, and b)see if I can get wireless running on it. This is gonna be awesome.

    My favorite software slogan ever is for ethereal, "Sniffing the glue that holds the internet together"

    I'm sure a lot of you know this but this is in reference to TCP/IP being called "the glue that holds the internet together" Oh so funny. And oh so off-topic. I'm sorry. I love you guys.
  • Linksys WRT54G/GS (Score:5, Interesting)

    by adamjaskie ( 310474 ) on Monday January 17, 2005 @03:55PM (#11388753) Homepage
    Its sold as a "router", but what it really is is a little plastic box with a 200MHz MIPS embedded computer running Linux. You can replace the firmware with something like Sveasoft's modified version, that allows you to SSH into it, and run something like Snort on it. You can turn off the onboard wireless card if you don't need it, and disconnect the antennas for an even more compact device. Without the radio going, it probably won't even put out much heat.
  • by pp ( 4753 ) on Monday January 17, 2005 @04:03PM (#11388826)
    Get a Linksys WRT54G (no need for GS even, you're just going to use it for sniffing), stick openwrt on it, put kismet_drone on it and off you go. Gives you your wlan traffic over good old Ethernet, and costs something like $65 nowadays.

    Or you can buy a $30-50 card for your PC which might or might not be able to do monitor mode depending on your drivers, and might or might not reliably go into monitor mode depending on the exact sequence of iwconfig/ifconfig/catting stuff into files in /proc you are doing and finally might or might not show you all the packets since the firmware hides them from you.

    Of course if you're running around with a laptop the Linksys option is a bit tricky since you need to feed power to it. For basic indoor problem-solving it's unbeatable. Unless someone comes up with a reliable source for prism2.5/3's.

    Still need to find a good 802.11a solution though.
  • After the article yesterday (the day before?) with the Altoids tin MP3 player, I thought this was going to be another project like that and got my hopes up. Oh well. :)
  • by Anonymous Coward
    Unfortunately, sniffers are one area that Open Source solutions fail miserably; at least with modern high-speed networks. And there isn't any easy solution around this. Granted, we're talking in the 100-1000 Mbs range; but the wireless folks are moving in that direction.

    There's a paper which discusses the problem quite well: http://luca.ntop.org/Ring.pdf [ntop.org]

    The thing which I found surprising is how awful Linux stood up to the tests. The standard Linux kernel + stack was dropping the majority of packets; a

    • by Anonymous Coward
      Nope, that's not a troll. Please go read the paper. Linux has too much overhead when handling interrupts.

      I suppose you can stick your head in the sand, but unless you know how to deal with this, you're misleading people if you think you're actually capturing packets on a high-speed network.

      This is actually an important problem for those of us who are trying to use Linux in this area; and this is the first paper I've seen which actually describes the problem, how to reproduce it, and some work-arounds for
    • The paper the AC pointed to, Improving Passive Packet Capture: Beyond Device Polling [ntop.org], seems to indicate that the problem is with the performance of tools like libpcap at high speeds and /or that a real time system is needed, not the open vs closed situation that the AC painted in the parent post.

      Yes, a specialized kernel is needed. Yes, some other kernels, maybe QNX, might be better than plain vanilla BSD or Linux kernel. Yes, MS Windows isn't even anywhere remotely close to supporting this kind of techno

  • by Anonymous Coward
    Current status is pretty poor. Well, it isn't if you consider "open source" some stub code with a binary object file for Linux.

    Here, I would like to call everyone's attention so people get rid of the cloth in front of the eyes and see the real status: some do NOT provide info, like Conexant for their new generation prism54 ( Intersil did for the first gen [prism54.org]), Intel for their 2100 [sourceforge.net] or 2200 [sourceforge.net] chips or TI for the acx100 [sourceforge.net]. Others provide binary only drivers, like Atheros (dig in the OpenBSD source, they reverse engi

  • all I am after, is a simple tool to switch networks on the fly... I can make wireless work great, but if I don't connect to the network I want the first try, I am stuck...

    kismet requires special drivers to scan, but if you figure that winxp comes with a simple interface for this built-in, it's kinda depressing that we can't seem to build a good tool that can do that, list the available networks, and give a good connect to them.. (without beating my head on the kernel modules, been there, it hurts, especial
    • i wrote a pair of perl scripts on a friends laptop that stores all the networks it sees, regurgitates a list on request and will connect to a given name.

      the whole thing was about 2 pages of code, and only used the wireless-tools package...

      read the manual for iwconfig and associated tools ;)
  • The article looks promising until I see lines of code instead of nice screenshots. Does anyone know a good GUI tool for Linux (built with something like QT or GTK) that is free (like speech) that allows me to find broadcasted SSID's in my area?

    Windows users love to rub in how easily their linksys tools do this for them... I want an equivalent for my Ubuntu box.

    I am the new wave of Linux users- "the more GUI the better" (TM).

  • This looks interesting in a general way, but it's not really a sniffer is it?

    When I see sniffer I think something that captures packets and does at least a basic protocol decode on them (ie. SnifferPro - overpriced though it is, or Ethereal - great free package).

    Am I missing something or is this just a OSS tool to enumerate wireless networks?

  • by trb ( 8509 )
    Thanks to the magic of threading, this data can be updated dynamically. In the sample code there's a thread that reruns wiconfig regularly (about every second), repopulating the array with current data, which is displayed by the display thread.

    I don't understand why this project needs the magic of threads instead of just sockets.

    • Well, you can do it lots of ways. I even said the threading was "an experiment". :)

      Personally, if I were doing this again, I probably wouldn't use threading for it.
  • A quick rtfa tells me that this isn't a sniffer at all, it's just a perl script that parses the plain-text output from someone elses sniffer. Sorry, no donut. NEXT!

    What's up with tcpdump [tcpdump.org] and friends, snort [snort.org], kismet [kismetwireless.net], bsd-airtools [dachb0den.com] and ethereal [ethereal.com] anyway?

  • Kismet [kismetwireless.net] is an excellent wardriving tool for Linux, which will even run on your PDA.

    For those of us interested in maps of what wardrivers have found in your neighborhood, check out WiFiMaps.com [wifimaps.com].
  • If you come across my access point, I'll give you an IP-address (I'm a friendly person), and that's where it will end. The server end is completely firewalled, except for port 1194 running openVPN.

    Only if you have a certificate signed by me, you will get a tunneled IP-address allowing you to access to both the internal LAN and the internet (and the server itself).
  • Anyone know how to go about building one of these?

    Do a google search on 'PRI Tester' and you'll find dozens of hand held devices that run about $3K. I'd like a laptop with a ISDN PCMCIA card running just a simple stack to sniff what the other end is transmitting.

    Yeah, yeah, yeah, I'll look around on my own.

He who steps on others to reach the top has good balance.

Working...