Openwrt twisted pair sniffer

Good day everyone, my little story began when my friend and I were arguing about the 10BASE-T and 100BASE-T standards about full and half-duplexes, and in the end decided to show him what he could listen to from pairs using the example of a ready-made device.



After reading the article, I took my old TP-Link mr3240 v1.2 on which there was a default firmware. a little dancing with a tambourine and now it has a full-fledged sniffer with Openwrt on board, an 8Ah battery, Wireguard and a flash drive for storing dumps in case of anything.



I will not describe the installation of openwrt because there are a lot of manuals.



Let's start by installing tcpdump and preparing the WRT itself: log into the router via SSH, default root without a password, then:



opkg update && opkg install tcpdump


img




then a few settings in Switch openwrt go to 192.168.1.1



Network -> Switch







we will listen to the wan port and port 4, while the eth0.3 vlan interface will appear, if you leave the default settings, then on port 4 we will hear only broadcast messages because the processor does not will process all messages not addressed to him, in the case of the article that inspired me, we listened to only one pair, either RX or TX, in my case, we listen to both on eth1 and eth0. 3



The essence is to connect Rx and Tx pairs to Rx pairs each interface:



img
image



For this, I assembled the following clumsy cable:



Cable




Now the question of how convenient it is to listen to just run tcpdump and store everything on the router is not an option from the word at all, only in rare cases, of course, where the volume of traffic is not large.



Therefore, it was decided to use a pipe via ssh plink for windows, it fits perfectly straight and watch everything in wireshark.



I found a simple script on the Internet, in which you need to specify the interface, and so on:



@REM ----------------------------------------------------
@REM remotecap.cmd
@REM   Example command for captruing eremote network packet
@REM  using wireshark and tcpdump.
@REM   First written by j2doll. September 10th 2016.
@REM   https://github.com/j2doll/wireshark-remote-command-win
@REM   http://j2doll.tistory.com
@REM ----------------------------------------------------
@REM install putty and wireshark on your windows pc.
@SET PLINK_PATH="C:\Program Files\PuTTY\plink.exe"
@SET WIRESHARK_PATH="C:\Program Files\Wireshark\Wireshark.exe"
@SET REMOTE_SERVER=192.168.1.1
@SET REMOTE_ACCOUNT=root
@SET REMOTE_PASSWORD=
@SET REMOTE_INTERFACE=eth0.3
@REM execute command
%PLINK_PATH% -batch -ssh -pw %REMOTE_PASSWORD% %REMOTE_ACCOUNT%@%REMOTE_SERVER% "tcpdump -s0 -U -w - -i %REMOTE_INTERFACE%" | %WIRESHARK_PATH% -i - -k


Of course, it would be possible to finish this all there is a python script that combines two pipes into one and it would be convenient to see, but for my purposes it was not necessary at all.



Then we insert the cable between the devices and additional pairs into wan and 4 port of the router run two versions of the script in one REMOTE_INTERFACE = eth0.3 in the second REMOTE_INTERFACE = eth1.



A pair of yellow cables was for a sniffer in them, I used only a green pair as described above, it is twisted on an orange pair, colored to color, striped to striped, the second cable also to the green pair.



I used a laptop and a map lite as victims, the blue and gray cables are just for them, they are soldered straight, that is, how the color should be to color.



A bit of pictures
















Then all this was fed from the battery, added wwan, twisted the wireguard and you can sniff from home, of course, if there is somewhere to throw wwan in the place where we listen.



That's all.



ZY if you make a bridge between the interfaces, you can listen to both interfaces together, that is, in the shark, both RX and TX will be seen immediately))



All Articles