Ñíèôôåð íà WL500gp (netflow & tcpdump)

[mumbo]

Óâàæàåìûå!

èìååòñÿ Asus WL-500gx (deluxe) è adsl ìîäåì Asus AAM6020BI.

çàäà÷à - íà ëþáîì èç ýòèõ óñòðîéñòâ íàäî âêëþ÷èòü port mirroring (èëè port span) - ò.å. ÷òîáû âñå ïàêåòû äëÿ êàêîãî-ëèáî ethernet ïîðòà ïîëíîñòüþ äóáëèðîâàëèñü íà äðóãîì ïîðòó óñòðîéñòâà.

ïîíÿòíî ÷òî ìîæíî äëÿ ýòèõ öåëåé ìîæíî èñïîëüçîâàòü äîïîëíèòåëüíûé hub èëè óïðàâëÿåìûé switch, íî

õî÷åòñÿ ñäåëàòü ýòî èñïîëüçóÿ êàêîå-ëèáî (âñå ðàâíî) èç âûøåóïîìÿíóòûõ óñòðîéñòâ, åñëè òàêàÿ âîçìîæíîñòü èìååòñÿ.

ìîæíî ëè ïåðåâåñòè WL 500gx â ðåæèì hub?

áëàãîäàðþ âñåõ îòêëèêíóâøèõñÿ!

[Tsvetkov]

ó asus-a Virtual Server, íàçûâàåòüñÿ ýòî port mapping
â ðåæèì hub - System Setup - Operation Mode - Access Point

çû RTFM

[mumbo]

спасибо за ответ, но в данном случае имелось в виду не tcp/udp port mapping, а ethernet port mirroring (в терминах cisco - span), вот здесь хорошие иллюстрации на эту тему - http://www.cisco.com/warp/public/473/41.html

что касается функционирования wl-500gx в режиме Access Point то в этом случае ethernet порты устройства находятся в режиме switch, но не hub, увы.

если знаете how to - буду признателен,

С уважением,
Андрей

[Oleg]

[root@wl500gx root]$ robocfg
Broadcom BCM5325E/536x switch configuration utility
Copyright (C) 2005 Oleg I. Vdovikin

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

Usage: robocfg <op> ... <op>
Operations are as below:
show
switch <enable|disable>
port <port_number> [state <enabled|rx_disabled|tx_disabled|disabled>]
[stp none|disable|block|listen|learn|forward] [tag <vlan_tag>]
[media auto|10HD|10FD|100HD|100FD] [mdi-x auto|on|off]
vlan <vlan_number> [ports <ports_list>]
vlans <enable|disable|reset>

Ñâèò÷ ïîääåðæèâàåò spanning tree. Êàê óïðàâëÿòü - áîëåå ìåíåå ïîíÿòíî. Ïðîáóéòå. Î ðåçóëüòàòàõ ðàññêàæèòå.

[Tsvetkov]

Îëåã êàê ÿ ïîíÿë, ÷åëîâåêó ïàêåòû ïåðåõâàòûâàòü íàäî,
ïëèç îòêàìïèëè http://www.ethereal.com/. Ïîñèëüíåå
tcpdump áóäåò. Äóìàþ ýòî òî ÷òî íàäî ÷åëîâåêó. Äà
è íàì áû ïðèãîäèëîñü

[mumbo]

Ñïàñèáî Âàì, Îëåã, çà ïîäñêàçêó, íî ÿ ïîêà íå ðàçîáðàëñÿ êàê ñ ïîìîùüþ robocfg çåðêàëèòü òðàôôèê íà ïîðò, ê êîòîðîìó ïîäêëþ÷åíà ìàøèíà ñî ñíèôôåðîì. áóäó ýêïåðèìåíòèðîâàòü )

õî÷ó âíåñòè ÿñíîñòü - ÷òîáû íå áûëî òåðìèíîëîãè÷åñêîé ïóòàíèöû )))

The Switched Port Analyzer (SPAN) feature, sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. (http://www.cisco.com/warp/public/473/41.html)

ò.å. Spanning Tree Protocol - ýòî êàê ÿ ïîíèìàþ - íåìíîãî èç äðóãîé îáëàñòè - òåõíîëîãèÿ äëÿ îïòèìèçàöèè ìàðøðóòà ïðîõîæäåíèÿ ïàêåòîâ â ñåòè, õîòÿ çâó÷èò ïîõîæå (((

ethereal êàê ðàç è èñïîëüçóþ - ñîãëàñåí, ïðîãðàììà âåñüìà ïîëåçíàÿ,
âèäèìî ìíå íàäî áîëåå ÷åòêî èçëîæèòü ñâîþ çàäà÷ó:

íàäî àíàëèçèðîâàòü òðàôôèê óñòðîéñòâà, êîòîðîå âêëþ÷åíî â ëîêàëüíóþ ñåòü.

ñíèôôåð (ethereal) ñïîñîáåí "ñìîòðåòü" òîëüêî íà òîò òðàôôèê, êîòîðûé èäåò ÷åðåç ïîðò ìàøèíû, íà êîòîðîé ñíèôôåð óñòàíîâëåí (è winpcap ÷åðåç êîòîðûé îí è ïîëó÷àåò ïàêåòû).

êîíå÷íî, ìîæíî ïîñòàâèòü äâå ñåòåâûå êàðòû â ýòó ìàøèíó è ïðîïóñêàòü òàêèì îáðàçîì âåñü òðàôôèê òðàíçèòîì èëè âêëþ÷èòü óñòðîéñòâî ÷åðåç õàá, èëè æå - ñàìûé îïòèìàëüíûé ñïîñîá - äóáëèðîâàòü âåñü òðàôôèê ïðîõîäÿùèé èç ïîðòà A íà ïîðò B â ñâèò÷å íà ïîðò C - ê êîòîðîìó ïîäêëþ÷åíà ìàøèíà ñ àíàëèçàòîðîì ïàêåòîâ.

âîò ïîñëåäíèé âàðèàíò è õî÷åòñÿ ðåàëèçîâàòü ñ WL-500gx )

ïîêà ïîïûòàþñü ÷òî-íèáóäü ñäåëàòü ñ ïîìîùüþ robocfg )))

[Chronic]

Æàëü, ÷òî íèêàêèõ ñåíòåíöèé. Õîòü êóäà êîïàòü?

[Oleg]

Êîïàòü - ñìîòðåòü êàêèå ïàêåòû èäóò ñ ïîìîùüþ tcpdump.

[Chronic]

Íàïðèìåð òàê tcpdump -i vlan1 -n -vvv port ftp or ftp-data ?

[Tsvetkov]

ñêîðåå
tcpdump -c 100 -s 0 -i vlan1 -w /tmp/harddisk/test.txt
-ñ -êîëâî ïàêåòîâ
è îòêðûâàòü Ethereal-îì ýòîò ôàéëèê è êàïòóðèòü âñå

[vladonline]

Êàê ñêàçàòü tcpdump íà ðîóòåðå íà áåñïðîâîäíîé òðàôèê?
Åñò üæåëàíèå ïîñìîòðåòü ÷òî çà ïàêåòû áåãàþò..

[Oleg]

tcpdump -i èìÿ_èíòåðôåéñà

[vladonline]

tcpdump -i èìÿ_èíòåðôåéñà

vlan1[0]?

íàøåë.. eth1

[djet]

Åù¸ îäíà ñòðàííàÿ ïðîáëåìà, òðàññèðîâêà äî ëþáîãî âíåøíåãî è âíóòðåííåãî õîñòà íå ïðîõîäèò áåç ÿâíîãî óêàçàíèÿ èñõîäÿùåãî IP. tcpdump âûäà¸ò óäèâèòåëüíûå âåùè:

[djet@(none) root]$ tcpdump host 87.250.251.8 -i ppp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes
02:41:38.652705 IP 10.111.10.111.33012 > ya.ru.33441: UDP, length: 10
02:41:40.652597 IP 10.111.10.111.33012 > ya.ru.33442: UDP, length: 10

, ò.å. ïàêåòû óõîäÿò ñ ppp0 ñ îáðàòíûì àäðåñîì èç vlan1.
iptables -F íå ïîìîãàåò. Ñ ìàðøðóòàìè òîæå äîëæíî áûòü âñ¸ â ïîðÿäêå:

[djet@(none) root]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
85.21.151.130 10.111.0.17 255.255.255.255 UGH 2 0 0 vlan1
195.14.38.0 10.111.0.17 255.255.255.224 UG 2 0 0 vlan1
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
85.21.79.0 10.111.0.17 255.255.255.0 UG 2 0 0 vlan1
10.111.0.0 * 255.255.0.0 U 0 0 0 vlan1
10.0.0.0 10.111.0.17 255.0.0.0 UG 2 0 0 vlan1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 85.21.0.17 0.0.0.0 UG 0 0 0 ppp0
default 10.111.0.17 0.0.0.0 UG 1 0 0 vlan1

[Alexx_B]

Wl500gP, ïðîøèâêà 1.9.2.7-10
Óñòàíîâëåí OpenVPN. Êîãäà-òî áûëà íåîáõîäèìîñòü ïðîáðàñûâàòü rAdmin-îâñêèé ïîðò 4899 ÷åðåç ðîóòåð íà êîìï. Íî õèòðî, ÷òîáû ýòî âîçìîæíî áûëî òîëüêî ÷åðåç OpenVPN (êàêàÿ-íèêàêàÿ,à çàùèòà êîìïà). Òàê ÷òî ÷åðåç âåá-îáîëî÷êó íå ïîäõîäèò
ïîýòîìó ÿ äîáàâèë â post-firewall ïðàâèëî

Code:

iptables -t nat -A PREROUTING -p tcp -s 10.8.0.1/24 --dport 4899 -j DNAT --to-destination 10.100.1.5:4899

áûëî ýòî äàâíî è âñå ðàáîòàëî, ïîòîì íåîáõîäèìîñòü îòïàëà, òàê ÷òî êîãäà ðàáîòàòü ïåðåñòàëî ÿ íå çíàþ, íî ñåé÷àñ íå ðàáîòàåò. Ñ ðîóòåðîì çà ýòî âðåìÿ ðàçâå ÷òî îáíîâëåíèå ïðîøèâêè ïðîèñõîäèëî..

êîìàíäà òà æå, ïàêåòû óëàâëèâàþòñÿ

Code:

tcpdump -i tun0 -v
tcpdump: listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes
14:54:16.637974 IP (tos 0x0, ttl 128, id 9327, offset 0, flags [DF], length: 4 10.8.0.2.3124 > 10.8.0.1.4899: S [tcp sum ok] 3727616767:3727616767(0) win 16384 <mss 1260,nop,nop,sackOK>
14:54:19.553936 IP (tos 0x0, ttl 128, id 9350, offset 0, flags [DF], length: 4 10.8.0.2.3124 > 10.8.0.1.4899: S [tcp sum ok] 3727616767:3727616767(0) win 16384 <mss 1260,nop,nop,sackOK>
14:54:25.487031 IP (tos 0x0, ttl 128, id 9394, offset 0, flags [DF], length: 4 10.8.0.2.3124 > 10.8.0.1.4899: S [tcp sum ok] 3727616767:3727616767(0) win 16384 <mss 1260,nop,nop,sackOK>

3 packets captured
3 packets received by filter
0 packets dropped by kernel

íó è âîò

Code:

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere           tcp dpt:5190 to:10.100.1.1:5190
VSERVER    all  --  anywhere             10.72.8.41
NETMAP     udp  --  anywhere             10.72.8.41         udp spt:6112 10.100.1.0/24
DNAT       tcp  --  10.8.0.0/24          anywhere           tcp dpt:4899 to:10.100.1.5:4899

 ÷åì ÿ íàêîñÿ÷èë?