I'm looking for some concepts about sniffing my own network. Specifically:

I have XP installed on a laptop. I'd like to monitor XP on my network to track various "phone home" nonsense.

I have a Sony ebook reader. I always keep the wireless radio off. I am curious how the software tries to phone home or mine data and want to monitor that connection too.

The ebook reader supports both network wireless and 3G.

I can connect the laptop with wired or wireless but the ebook reader is limited to wireless.

Yes, I plan to disconnect my network cable at the wall before starting these tests.

My network looks like this:

I have a stock Slackware 14 and have wireshark installed as well, if that helps.

Questions:

* To properly monitor either connection, do I need to install a switch between the Linksys router and ISP VOIP router, and then connect another computer to the switch?

* When enabled, will the ebook reader automatically connect to a 3G network or do I need a 3G account for that to happen?

Thanks again!

I believe that Sony has a partnership with AT&T for their ereaders, so it is entirely possible that it could connect to AT&T with or without an account. I'm not certain how one could tell either way, though.

As for your first question, I'm probably not qualified to say.

Thanks for the info. Fortunately, the reader can use only one wireless mode at any one time and has to be manually reconfigured to switch. Still, I am assuming the "worst" that the device would autoconnect when 3G is enabled. I have no idea how to prevent a connection in that mode. I'm in a rural area where 3G is spotty at best, but I still prefer to prevent connections.

Edit: Looks like the 3G coverage is automatic because the service is free:

http://www.the-ebook-reader.com/sony-prs-950.html

I'd be more worried about the software Sony ships with the device and which you are supposed to use when transferring books & magazines to the ereader (when not using wireless or 3g).
That is why I use calibre instead. It is a better library management system than Sony's own software. Plus, you can run it as a OPDS server on your home LAN (see http://manual.calibre-ebook.com/cli/calibre-server.html for details) and never have a need for a USB data connection anymore.

Eric

1 members found this post helpful.

Unless you have a "decent" (read expensive) managed switch you won't be able to achieve what you want the way you want to. Switches work by directing specific traffic from port to port, hence the name switch.

You will either need a managed switch with a port that can be configured to present all traffic or you will need to have a server acting as an intermediary.

To use your diagram:

With this configuration your "middle man" server will be able to act as a router and sniff packets accordingly.

Since you are looking for concepts, I will share my topology of my current network with you.

Cable modem --> firewall/dhcp,dns,etc --> managed switch --> LAN

Now even though I have a managed switch, I didn't always have it. In the past, I used the firewall in between my modem and my network to monitor my network. I use tcpdump and wireshark to dump whatever I need to, monitor, etc, and it works quite well. I have a wireless access point integrated within my LAN, with its own subnet, which I keep on the 192.168.3.0/24 subnet. Since I have my firewall acting as DHCP server and DNS as well, it makes it easy to see whatever I need to. tcpick is also a nice tool to use to pick apart your data/packets.

Could you use wireshark to check the traffic from only that host ?

Only on a network topology where a box can "see" that traffic. (For example as per my and corp769's diagrams).

A host, even with a NIC in "promiscuous mode" won't see traffic for other hosts unless the switch is specifically configured to do so.

OK - but I was referring to installing wireshark on the Windows XP machine, where the "questionable" software is installed. Then surely wireshark would be able to see everything going thru the network card on that same host ?

Indeed, you're totally right for the XP machine.

@TenTenths - your signature is wrong ! The "engineers dilemma" (good,fast,cheap - pick any two) does NOT apply to Linux ! With Linux you CAN have all three.

1 members found this post helpful.

lol, our current linux based project has approximately 40 people working on it full-time and needs a production platform of over 20 servers at $10K each.
Hardly "cheap"

Good point. But "supposed to use" are the key words. Fortunately (for me) that software is Windows, which I avoid. I don't use any software to transfer books to the reader. I don't use DRM books and I don't buy electronic books (lots of classics and otherwise free books available).

I connect the device via USB and copy files to the reader. I'm not into creating collections on the reader. I have my books already sorted by author on my network. I copy a dozen books or so into the root directory, read the books, and then delete the books from the reader when finished. I always keep my copies of books on my network.

There is an update to the Sony firmware but the little information I found indicates no bugs are fixed and the update is "one-sided" with changes that only improve data mining.

I really wish some truly free devices (ebook readers, tablets) would hit the market.

Some time ago I looked at calibre. Lots features and there is a usage learning curve (and a bunch of dependencies to compile). I just haven't had the time to spend with the software to really learn. Yet Another Project for "rainy days."

I don't (yet) grasp the concept of how a proprietary ebook reader connects to a calibre server. Conversely, at this point I'm content with connecting via USB and copying files as needed.

After raising the topic in another thread, I ran some quick spot checks for low-end managed switches. More expensive than a dumb switch, yes, but affordable.

Okay, so both of you are confirming my original intuition that I need a physical hardware point to intercept traffic. That's a start!

I have old computers I could use as monitoring portals after installing a managed switch at an interception point. They are slow (PI and PII) but they would suffice to capture traffic --- once I learn how to actually do that.

Yes, on the XP system. Wireshark is available for Windows. I would just pull the wall cable (to prevent actual phone home connections) and watch what happens.

Now that I wrote that I see several people already wrote the same thing.

I can't do that with the ebook reader, which is wireless only. (And I have no motivation at all to learn how to root such a device. )

Question:I wonder whether dd-wrt, which I have installed on my Linksys router, has a feature to allow me to monitor IP traffic? There is a firewall logging option and all I need are IP addresses.

I'm not trying to run a complicated sniffing operation. I want only to capture IP addresses to know where the ebook reader and XP wants to phone home. Then add some simple redirects to 127.0.0.1 in my router's hosts file.

I have some experience with XP phoning home. About 10 years ago I helped a person configure a third party firewall to track phone home attempts. I was shocked to find that even the XP file manager phones home. I believe I still have that original configuration file in my archived collection of old Windows files.

I'm not concerned about XP because I don't use the system. I'm interested in learning how to monitor this nonsense and I simply happen to have a copy of XP available. I have some NT4 and W2K installs but those systems are benign and don't phone home.

I'm more concerned about a possible upcoming job contract where I will use Windows 7. I don't anticipate that happening until Jan. 1, but until then I'd like to become familiar with this topic so I know how to monitor Windows 7.

The ebook reader (all ebook readers, tablets, etc.) frustrates me because a primary design consideration with these devices is data mining. I don't miss the wireless functions with my ebook reader, but I want to understand what these devices try to do in the background.

I don't like that I can't control the 3G feature. I'm half tempted to open the case and permanently disable all wireless by cutting the antenna wires.

Yeah, I realize most people don't give a hoot.

I have much to learn as well as buying a decent managed switch, which I likely will need anyway for the upcoming job contract. Even if that contract falls through, other future contracts are likely to have similar connection requirements. I need to learn how to protect my network in more robust ways. Trusting myself is one thing --- I don't trust other systems.

Often I have wanted a way to monitor my own network anyway. Seems like a managed switch is a sane beginning.

I might install the managed switch after the VOIP router. I know and trust the ISP owner (local mom-and-pop ISP), but I'm curious what the device really does. I believe the device regularly "pings" the VOIP network. Some kind of keep-alive traffic, or something like that. Otherwise I'd be surprised to see anything more.