ARP

[Hurtcake]

Hi, im doing a schoolproject about ARP -The address resolution protocol, and i've captured packets on my computer using Wireshark. But I want to capture the packets from my router's point of view. Any ideas on how i can do this?

I have a Linksys Cable/DSL Router BEFSR41 V3 with original firmware. I thought maybe i could flash it, but couldn't find any. (is there any?)

Thanks

[digip]

Hi, im doing a schoolproject about ARP -The address resolution protocol, and i've captured packets on my computer using Wireshark. But I want to capture the packets from my router's point of view. Any ideas on how i can do this?

I have a Linksys Cable/DSL Router BEFSR41 V3 with original firmware. I thought maybe i could flash it, but couldn't find any. (is there any?)

Thanks

I have the same router. The only firmware I could ever find over the years is the last update from Linksys, Firmware Version: 1.05.00. If yours has that version, then it shipped with the last supported one they made for it.

Its not a wireless router, so people probably didn't develop any custom stuff for it. The wireless routers tend to have the custom firmwares because they often have chipsets that people write code for, like Atheros, etc.

Be sure to update it to the last patch though, as I think that fixed a hole in the security that allowed remote users into the router, even when it was set not to allow remote administration.

[Hurtcake]

Yeh. The firmware is patched up to date.

Still need help with the ARP-packages though ;)

[shonen]

Correct me if I am wrong its been a while since I read ARP shit (and I am sure you guys will if I am) XD

ARP use's a broad cast address so all computers on a network will receive the ARP packet to view it from your routers prospective all you need to do is filter for only ARP in wireshark and look at source and destination of the packet (usually found via its MAC address or IP number). If you are unsure as to what your routers mac is, just flip it over and it should have it on a sticker at the bottom (or in the web gui config settings)

For a more detail inspection click on the packet of interest and view TCP/IP stream.

If I am missing something guys feel free to elaborating on this.

Anyways hope it helps.

[digip]

Yeh. The firmware is patched up to date.

Still need help with the ARP-packages though ;)

Well, this router is more of a switch, which once you try to MITM it gets all messy and stuff just starts to stop working and you have to reset your connections. One thing you can do is put the router between two nic cards to see all the traffic on the router.

modem--> pc with multiple nics --> router ---> network. When traffic comes back from the router to go to the internet, the first pc with multiple nics can sit there and just run wireshark or whatever and dump ALL the traffic requests. Encrypted stuff will be un readable, but general internet traffic, email, IM, etc, all get captured in the clear with no need to MITM. The new Interceptor Monkey project Hak5 and DigiNinja just released kinda does the same thing. A hardware tap to see all the networks traffic.

If your not scared to brick the device, you can try googling compatible firmware or custom firmware, or even put another rotuers firmware on it, although, it will probably break the device: ftp://ftp.linksys.com/pub/network/

Firmware files end in .bin, but again, this will porbably break the router if 1, there is not enough space for it, and 2, it doesn't understand the instructions/firmware you try to load onto it.

[H@L0_F00]

Correct me if I am wrong its been a while since I read ARP shit (and I am sure you guys will if I am) XD

ARP use's a broad cast address so all computers on a network will receive the ARP packet to view it from your routers prospective all you need to do is filter for only ARP in wireshark and look at source and destination of the packet (usually found via its MAC address or IP number). If you are unsure as to what your routers mac is, just flip it over and it should have it on a sticker at the bottom (or in the web gui config settings)

For a more detail inspection click on the packet of interest and view TCP/IP stream.

If I am missing something guys feel free to elaborating on this.

Anyways hope it helps.

ARP packets are not broadcasted, they have a specific MAC/IP they're supposed to go to, otherwise you could ARP poison a whole network with just a single ARP packet haha

Hurtcake, what is it that you're actually trying to do? Because you could just put your NIC into monitor mode and view everything without having to setup a MITM.

[digip]

ARP packets are not broadcasted, they have a specific MAC/IP they're supposed to go to, otherwise you could ARP poison a whole network with just a single ARP packet haha

Hurtcake, what is it that you're actually trying to do? Because you could just put your NIC into monitor mode and view everything without having to setup a MITM.

I thought monitor mode was for wireless? This device is a 4 port ethernet router/switch. No wireless on the device.

[freeb]

ARP packets are not broadcasted, they have a specific MAC/IP they're supposed to go to, otherwise you could ARP poison a whole network with just a single ARP packet haha

ARP packets are broadcasted at layer 2 on address FF:FF:FF:FF:FF:FF, when a host receives such a packet if that host has the IP address metioned in the ARP request, it replys back with an ARP response to the source MAC address of the ARP request.

[shawty]

Generally your router doesn't broadcast ARP requests to find a MAC. At least i never see them on my net anyway. However my router knows the ARP's of all my machines, because at some sage they try to access the net and the router records the mac.

Chances are the only router originated traffic that will appear on your net are routing announcement packets such as RIP, and even then you'll generally only get those if there is another router on the inside that the primary router is Bcasting to.

The only time iv'e seen any kind of arp announcement inside my net is other PC's asking for a mac to IP req inside the net, iv'e never seen the router req them.

[freeb]

As for routers broadcasting ARP requests, it may be dependant on the vendor or current setup of the router. I have though encoutered a router at work that seems to broadcast ARP requests for every DHCP allocated address every 30 seconds or so.

[digip]

Having this same router, about the only braodcast traffic I see are BROWSER announcments for windows shares when you enable netbios. You will see the workstation make a SMB broadcast, but thats about it. I can sit and watch the connection, but my wifes traffic is not seen or rebroadcasted by this peticular router without a MITM. I turn off netbios and windows file sharing and have the ports blocked on our firewalls, so I only see that kind of traffic when I enable it.

If I try to ARP attack, like with Cain, it just hoses up the network, since the router functions more like a switch, it knows where the end device is, and eventually you have to reset all the connections, as it just hoses everything up. Wifi doesn't have this issue because in order to stay associated with an AP, your nic does probe and arp requests reguarly, and you can MITM very easily in this respect. Not so much with this peticular ethernet router. If the other connection is in use, you can arp attack it, but eventually something happens with this router and it seems to kill both conenctions at some point and I end up not being able to connect to the router once that happens. If the user at the other end disconnects and reconnects, they never get assigned an IP address from the router and I then have to disable cain in order to get back onto the network before I can MITM again.

Ultimately its mixed results. I really shouldn't say it isn't possible, just that it works intermittenly and with mixed results. Im messing with it right now, and like I said, mixed results.

[dimitar]

I am not sure why you have to capture the ARP packets on the router?

ARP requests (as mentioned by the previous posts) are broadcasted to all the computers on the LAN.

So if you run Wireshark on your computer you will capture the ARP packets and they will look exactly the same if you were to run Wireshark on the router itself.

You would only have a difference if you have set up VLANs. Then you will not be able to see the ARP requests of/to the computers on the other VLANs (but you would be able to see all of them if you were to run Wireshark on the router). But since you did not mention anything about VLANs, I assume that is not the case in your home setup.

[digip]

The only way I ever see a broadcast arp packet on this model, is if I initiate a ping from one node to another on the lan.

If data is coming in from the internet, this router will filter out anonymous requests and not forward them to all nodes, as well as route packets directly for the node in question. It will not broadcast all traffic to every node on the lan, like say with a bus topology. Then again, I have static IP's set up for each desktop machine, so this may be why I never see this sort of traffic on this router unless I ping another address on the lan.

If I am capturing packets on the lan and another machine joins the lan, I never see it in wireshark. Only if the machine itself is doing something, like advertising its netbios info over the lan, which I have turned off on all my machines. I imagine that the desktops probably broadcast their info for arp, but the router is not forwarding it on to everyone on the lan.

[Hurtcake]

Ok. I read about ARP and packages sent external or outside of your lan.

What i could understand, the package created on my computer with an external destination, will contain the receivers IP and my routers MAC-address. When the router receives this package it will start unpacking it(it thinks its his because it contains his MAC. And when he gets to the IP-address, he will understand its not for him, and packing it back together, after finding that new MAC-address(this point is where I'm a bit shady-the reason for the bad explanation)) Does the router obtain this by sending an ARP-request to that external IP?

This is actually what i was trying to find out. I wanted to see it working and not just in theory.

I wanted to capture the ARP package containing that external ip and my routers MAC-address.

Hope everything got a bit clearer now :)

[Sparda]

You can't ARP spoof the Internet.

[digip]

IP routing and DNS lookups happen on the internet, while arp makes entries into a router for locally connected devices on the lan. Then there are in-addr.arpa. reverse dns lookups, but that relies on DNS and PTR record entries for IP addresses manually entered into DNS and has nothing to do with ARP packets on the lan.

[dimitar]

ARP is a Level 2 protocol. It knows NOTHING about IP addresses. It has the source and the destination MAC address in its header. In an ARP packet the destination MAC is FF:FF:FF:FF:FF:FF, so that all the machines on the segment can process it. Only the machine with the IP address specified in the "body" of the ARP packet will respond with its own MAC as a source address and the MAC of the machine that asked as a destination address.

If nobody responds to the computer that sent the ARP request, then the target computer cannot be reached with Level 2 protocols. Now the machine has to send a Level 3 packet to its default gateway (the router).

Also keep in mind that before the source computer even sends an ARP packet, it checks the target's IP address, then it compares it to its own IP address and Subnet mask to find out if the target computer is on its LAN.:

1. If it is, then it checks its cached ARP table and if it finds the destination computer's MAC address there, then it does not need to broadcast an ARP request. If it does not find the target computer in the ARP table, ONLY then it sends the ARP request.

2. If the target computer is not on its LAN/Subnet, then it does not send an ARP packet, because there is no need for it. It knows that nobody will respond! So, it sends a Level 3 packet to the default gateway with its own IP address as the source address and the desired computer's IP address as a destination address. And the routing process takes over.

These are the basics of networking.

Routers do not pass broadcast, multicast or frames with unknown destination MAC address.

This makes it impossible for someone to do an ARP poisoning/spoofing on the internet!

I would recommend you look at the network basics first by reading about the OSI model:

http://en.wikipedia.org/wiki/OSI_model

[digip]

Die! OSI model, Die! I hate the OSI Model...It's just a pain in the ass to learn, but yeah, it helps explain how networking works, from the physical layer all the way up the food chain to the software. Who here enjoyed learning the OSI Model? Dare I say none...

[freeb]

These are the basics of networking.

Routers do not pass broadcast, multicast or frames with unknown destination MAC address.

This makes it impossible for someone to do an ARP poisoning/spoofing on the internet!

/me nods

Layer 2, MAC, addresses are segment local. You send a packet to google the source and destination IP addresses remain the same. Though as the packet traverses the internet its source and destination MAC addresses will change from segment to segment.

Die! OSI model, Die! I hate the OSI Model...It's just a pain in the ass to learn, but yeah, it helps explain how networking works, from the physical layer all the way up the food chain to the software. Who here enjoyed learning the OSI Model? Dare I say none...

Gotta love the OSI man. All Pupils Sniff The Network Data Packets, thats one way to remeber it by! :P