In a typical LAN environment, today are in use routers and switches.
This improves a lot the performances of a network but make more complicate to monitor a specific appliance, like a VoIP phone.
This improves a lot the performances of a network but make more complicate to monitor a specific appliance, like a VoIP phone.
In order to capture the traffic on a specific node, assuming is not possible to run a monitor tool on the node itself, it is necessary to use a tool capable to be put between the nodes, or use a switch/router with monitor capabilities.
The main monitor tool in this discussion is the program Wireshark.
The main monitor tool in this discussion is the program Wireshark.
There is an article about this issue on the Wiki for Wireshark .
Since I don't have a switch with monitor capabilities, the fastest way to set up a generic monitor machine is to use a laptop, with two NIC cards, acting as bridge and running Wireshark on one of the two NIC or on the bridge itself.Shopping list
It is needed :
- 1 laptop with Linux installed, with two ethernet ports
- 1 PCMCA NIC if the laptop has already an embedded NIC
- bridge utilities
- Wireshark
The environment
The machine used to build the monitor is a Gateway Tablet running Ubuntu 11.04, plus a LinkSys PCMCA NIC card.
The first step, recognizing the extra NIC card, should not pose any problem.
In my case the LinkSys NIC was recognized and configured automatically by the OS as eth1.
The first step, recognizing the extra NIC card, should not pose any problem.
In my case the LinkSys NIC was recognized and configured automatically by the OS as eth1.
The next step is to install Wireshark from the Ubuntu repository, and enabled it to capture packets from eth0 or eth1.
Here the configuration adopted for the machine :
Bridge setting
After preparing the hardware and tested both the ethx ports, it is necessary to set up the machine to act as a bridge, in order to have packets received from the eth0 port sent to the eth1 port, and viceversa.
Without such functionality, the two networks are isolated, i.e. the phone can not receive anything from the network.
Without such functionality, the two networks are isolated, i.e. the phone can not receive anything from the network.
In order to simplify the configuration, I forced on both the NIC a manual address.
- 192.168.2.70
for the eth0 - 192.168.2.71
for the eth1.
After opening a terminal, install the brctl program (sudo apt-get install bridge-utils).
The bridge-utils are not installed by default in the Ubuntu 11.04 but are available in the repository.
The bridge-utils are not installed by default in the Ubuntu 11.04 but are available in the repository.
At this point I created, configured and activated a bridge between the two NICs.
- sudo brctl addbr wshark
Create a new bridge called wshark - sudo brctl addif wshark eth0 Add the eth0 to the wshark bridge
- sudo brctl addif wshark eth1
Add the eth1 to the wshark bridge - sudo brctl stp wshark on Enable the STP
After creating the bridge, it has to be activated.
To do so, simply use the ifconfig command :
To do so, simply use the ifconfig command :
sudo ifconfig wshark up
At this point the bridge should be working.
Running Wireshark
After the bridge is activated is possible to run Wireshark.
Among the available interfaces to use to capture traffic, it will be present a wshark interface that is the bridge.
Among the available interfaces to use to capture traffic, it will be present a wshark interface that is the bridge.
To capture data is possible to use it.
That's it.
No comments:
Post a Comment