What I'm trying to achieve:
I want to know what traffic occurs on the WAN side of my router/firewall.

This router/firewall does not have the reporting capability that I would like.

I'm planning to set up hub between my router and my cable modem. A Debian Linux machine will then be connected to this hub. The Debian will have two NICs, the other NIC is connected to the LAN (with a LAN IP so I can vnc to it).

Now here's the problem:
I don't plan to configure an IP address to the WAN NIC of the Debian machine.
For this whole plan to work, it would require a sniffer that can capture packets on an IP-less NIC.

I've thought of snort, but that's really over-kill. I don't need a full fledged intrusion detection system, just one that can capture traffic.

The alternative is to configure an IP, but then I'd also need a firewall which would render the sniffer pretty useless.

Any tips, clues and/or brainfarts?

Thanks

I'm not really sure what you a trying to do, and I am too tired to think about it... can you give us some ASCII schema maybe? :P

I dunno any ip-less sniffer but connected to an hub, you could probably sniff some broadcast connection. Or maybe you should try to build a NAT between the cable and the other side of the network?

Hmmm,
Tethereal will sniff if you just specify the device(eth0).

I have d/l'd snort but not used it yet. For that matter I would think any sniffer would work simply by specifying the device rather than the IP.

To see frames not addressed to the device you would have to put it in promiscuous mode . I think! I have done something similar to your application but I put the Linux box inline between my cable modem and my Linksys firewall. I did however specify IP addresses and captured on the external interface.

Yes, with ethereal one selects the interface, not the IP address. But the interface can't be selected if it is not up.

Btw, how did you secure your sniffer machine in the setup you describe? By that I don't mean user/password stuff, but tcp/udp port setup.

I'm crap at ASCII drawings, but here's (part of) the sitch:

[Cable modem (WAN)] <----> [hub] <----> [Router/Firewall (LAN)]

The linux sniffer plugs into the hub, thus receiving a copy of every packet traveling between WAN and LAN. Because there's also a link from the sniffer into the LAN, I need this machine to be secure, which is why I don't want the hub side of the sniffer to have an IP address. I could fake one that I know won't be routed by my ISP, but I'd much rather not.

If I were using a switch I'd only receive broadcast traffic, by using a hub I can get every packet, so they don't need to be addressed to me to pick them up. That's why I think I should be able to get this done without configuring an IP address. All I need is for the interface to come partially up.

Snort claims it can listen to an ip-less interface. I'm inclined to believe them and thus figured there'll probably be some traffic analyzers that can do so too.

If people could name the sniffers/analyzers they know, I'll check them myself.

The only ones I know of are:

tcpdump
snort
(t)ethereal

Any others?

I used iptables rules. But I was usning NAT as well so it wasn't a transparent sniff. Wasn't to concerned for my internal net since after passing the Linux box it simply went to a firewall. I did eventually use a stateful iptable rule to deny any attempted connection from the WAN. Like this one:

# Allow all connections OUT and only existing and related ones IN"
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

So are you saying that the interface can not be active w/o an IP address?

Provide two details:

One - your ISP
and
Two - what you are trying to achieve.

I may be able to save you a lot of time

So it's possible to capture traffic on an interface that is configured to drop unsolicited traffic?

No, I'm saying that unless I configure eth1 with an IP address I can't use it ethereal. It simply doesn't show up in the interface selection drop down menu at capture.

I could be doing something wrong of course, in which case I'd be glad to hear it. Prefferably accompanied with a method of partially bringing up the interface without actually assigning an IP address... :-)

Not sure why you want to know detail One, but:

One - kabelfoon.nl
and
Two - I want to know what's going on, on the WAN side of my local network.

Hey codeape,

There's the diff. I didn't use the GUI for tethereal so there was no drop down anyway. I was using the CLI, which allowed me to choose the interface even if it did not have an ip address.

This is a really good question since I believe that the only traffic I am dropping is that which is to traverse(FORWARD) the firewall. Since I didn't specify a rule on the INPUT chain I'm really not sure how it would work. Maybe I'll set this up again and check it out.

I get kinda murky in details when trying to think of where packets are dropped re garding the FORWARD vs. the INPUT chain. Since the INPUT chain applies to traffic coming into the kernel and the FORWARD chain applies to traffic traversing the kernel.

Aha! So this whole thing could still work.

Since I'm a big fan of the GUI, I could capture using tethereal to a file, which I could then load in ethereal's GUI!!

Not the most elegant way, but this could very probably definitely work, perhaps.

Would be an interesting test and if you decide to go for it, I'd love to hear the results. Still, don't get into any sweat on my account, I think I'm helped now.

Thanks fatal!

And we're back!

Just tried tethereal and that's a no-go as well.

# ifconfig eth1 up promisc

# tethereal -D
eth0
lo
any

I'm beginning to suspect it may be a hardware problem. Eth1 might not support ip-less promiscuous configuration. It's a RTL-8139, btw.

Either that or the fact that ipchains support isn't compiled into the kernel...

Any guesses, educated or otherwise?

Fatal, what's your NIC model?

It's a Realtek RTL 8139 - like those usually found with the i810 chipset...

Hmm, How do I find that w/o removing the card. I have remote access here at work so I can look it up if you clue me as to where? I'll do some reading and try to post it later.