4

Today I got an enterprise Internet connection together with a Sagemcom router. The first time it is connected to the Internet, it will spend 20 minutes upgrading the firmware.

I would really like to capture all the traffic for this upgrade using a CentOS host with two NIC's, with the purpose to figure how upgrades are authenticated. E.g. with a secret user account and passphrase?

If I want to put the CentOS host between the Internet connection and the router:

Question

  • How do I configure CentOS, so all traffic going in at eth0 goes out at eth1?
  • Is tcpdump -s0 -A -w upgrade.pcap -nni eth0 correct, if I want to use Wireshark later on to inspect the packages?
Sandra
  • 10,303
  • 38
  • 112
  • 165

2 Answers2

5

You could setup eth0 and eth1 as bridge and assuming eth0 is connected to the Sagemcom and eth1 is connected to the internet connection. The traffic would pass through the bridge, then you could run a TCP dump on the bridge and capture all of the traffic.

You will need the bridge-utils package

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up

tcpdump -s0 -w dump.pcap -i br0
Epaphus
  • 1,021
  • 6
  • 8
  • Shall I give `eth0` and `eth1` static IP addresses e.g. `192.168.1.100` and `192.168.1.101`? – Sandra Apr 05 '13 at 11:22
  • 1
    You may alo want to take a look at tcpreplay (http://tcpreplay.synfin.net/wiki/manual) for some fun with replaying that captured traffic. – Aaron Bush Apr 05 '13 at 12:34
  • eth0 and eth1 don't need an ip address, if you need an IP so you can manage it remotely then you can add an IP to the bridge interface – Epaphus Apr 05 '13 at 16:13
2

First you'd set your CentOS box up as a router, which basically involves enabling packet forwarding (usually a machine is the destination), if you want to let traffic pass through.

The simple part of that is changing /etc/sysctl.conf.
Change

net.ipv4.ip_forward = 0 to 1.

Then you'd set eth0 in one network, eth1 in the other, and add a route between the networks.

Configuring other things like firewalls or selinux is up to you.

I'd use tcpdump -s0 -n host < router IP > -w upgrade.pcap -i any
Though some of that might be redundant, for example, if you're listening for traffic going to and from the router IP, you shouldn't need to specify much in the way of interfaces, I believe.

NickW
  • 10,263
  • 1
  • 20
  • 27