Unsecured network / Traffic monitoring !HELP!

[random_foxx]

The backstory (Skip if you don't want the details): I'm a student at Fort Hays State. In my Bioethics class, I have a paper to write, which must be based on some specific form of specific human behavior. The target group MUST be a small group, in this case, it will be my apartment neighbors and people who pass into range of my wireless network and decide to use it. I have about 3 months to collect data before starting my assignment.

My plan: I want to setup a wireless network with ZERO security. SSID broadcast to the world, no encription (not even WEP), and a free and clear Internet connection to browse the 'net with. I already know how to do -that- part, so no biggie there. Also, I've got my -REAL- LAN seperated from this -TEST- LAN, so my personal network security isn't at risk.

Where I need help: I can setup a free network for people to leach and steal from, but have no way of gathering ANY data. How can I tell where people go on the Internet? How can I tell if they use peer2peer software, and what files they download? Once I get the data, can I sort it by MAC address, so that in my paper I can identify what one person did versus another, or track one person's multiple connections over the days and weeks?

What equipment I have: One router; a Linksys WRT54G, one PC; capable of running XP Pro, or I could install Linux if that would be needed (I have no experience with Linux, but I'm willing to learn).

Thanks!

 

[blue68f100]

Will you need wireless access to??

Have not done what you ask.

But you will need a packet sniffer to trap the source and destination of your free wireless service. Normally this can be done by setting up a external box that all trafic goes through. There is software for doing this. Just need to do some googling.

You say you have your network isolated. Do you have 2 ISP's???

If you are coming off the same router you may be at risk.

 

[Nlaenu]

What kind of logging is possible with the routers ?
But since your asking here for help, I guess its not sufficent.
The problem is, if you gone sniff the traffic, you have to do it between the users and the router. Once the traffic comes on the other side of the router, the mac-address changes also. Correct me if I'm wrong.

And if I'm wrong you can skip the rest
I would suggest getting a stand-alone access-point and a hub.
A hub transfers all traffic to all ports. So basically, if you place the hub between the router and an AP, you can see all the traffic going thru it.
It would look something liek this :
ISP -> router -> vlan0 (secure)-> your pc
-> vlan1 (unsecure) -> hub -> Access-point
-> Pc that monitors the traffic

Maybe someone else can answer this, can you turn the linksys to an access-point only ?

 

[random_foxx]

I can see where a hub would be usefull, as it just repeats everything, over a switch, which is selective. If I need new equipment, I'll get it.

Would a setup of [Wireless Router]-[HUB]-[Cable Modem] work, assuming I had a computer attached to the HUB as well? Even if I couldn't break down -who- was doing what with that method, at least I would have blanket statistics "17% downloaded music, 49% downloaded porn" etc etc.

Does anyone have a link to anything of use? A Google search turns up lots of junk pages, lots of "protect yourself" crap, things of that nature, but nothing from the eyes of a small network admin who wants to watch and monitor traffic on his network.

I really want to get everything setup in the next week or so, this is a Senior level class, and the sooner I gather data, the better I can do.

Thanks!

 

[fredweston]

What I would do is arrange things like this:

Internet => PC => Router

I'd put Linux on the PC and do my NAT, DHCP, etc there. I'd connect the PC into one of the router's LAN ports and disable DHCP on the router, effectively making the router into an AP. Then I'd install squid on the PC and use ipchains on to transparently redirect all port 80 and 443 requests through Squid. This will give you full logging of all HTTP and HTTPS requests. You could probably use webalizer or something similar to generate pretty reports for the web usage.

As far as logging other activity such as POP3, IM, etc I'm sure there is some way you can log that as well. You could probably use something like tcpdump and then run a protocol analyzer against the log files.

Yes it's a lot of work, but you can probably find HOWTOs for everything I've listed above. I've set up a transparent proxy with a days worth of fiddling and once it's up it's set it and forget it.

 

[random_foxx]

Wow, that sounds -VERY- complicated, but very detailed (detailed is good). Linux will be a whole new beast to tame if I go with that, any thoughts on the distro? I'll have to take some of your keywords and Google those, thanks for the tips.

 

[fredweston]

I like Debian because of the simplicity of package management. For example, once you have the system installed, 'apt-get install squid' will download and install squid. No compiling or worrying about dependancies, etc.

 

[fredweston]

http://www.tldp.org/HOWTO/TransparentProxy.html

Check that out, it should get you started.

 

[random_foxx]

This appears to be a great link!!! I'm reading 2.1 motivation, and the #2 (You want clients to use a proxy, but don't want them to know they're being proxied) sounds -exactly- like what I want to do.

I don't want to sound behind the times, but I don't really know what a proxy is, but I used wikipedia to see a defination. From what I understand, this will sit (invisably) between the user's wireless pc, and the router. Without knowing, the client will request a webpage, issue an instant message, or send an email, and all those requests will go to the proxy, and the proxy will send the requst off to the 'net. In this way, the proxy will be a middle man, and be able to log all the data for me. Is this right?

 

[fredweston]

You are correct as far as web (HTTP) requests are concerned. I don't know if squid has the capability to proxy for POP3, AIM, etc. I am guessing it doesn't though.

You might be able to use TCPDump (http://en.wikipedia.org/wiki/Tcpdump) to log those protocols. WireShark/Ethereal will definitely do it, but that requires installing an X server (desktop environment opposed to command line). The only potential issue I can see if the size of the log files for a period as long as you are proposing. I suppose it all depends on how much traffic there is.

 

[random_foxx]

Thinking about buying a Linksys Wireless G bridge

http://www.tomsnetworking.com/2004/09/23/linksys_wireless_wet54gs5/index.html

It mentions packet sniffing, and mentions that this switch can be set to port mirroring, making it like a hub where I decide to make it like a hub.

I could use the Wireless AP to create a seperate Wireless network ("Freenet"), put a computer running a transparent proxy on it, with all the traffic being broadcast to it, and bridge it into my real router, keeping my network ("Securenet") physically seperated from it.

First off: does that makes sense? Second off: Will that work?

 

[NoWires]

Sounds like a ambitious project. Hope you don't bite off more than you can chew, because it's not that simple technically.

First of all, I can't imagine you could pull it off without using Linux. The best sniffer around is Kismet, which doesn't run on Windows in most circumstances and requires rfmon support with your wireless card on Linux, not to mention specific driver.

So my advice is, check your wireless card, install Linux, run Kismet and Ethereal, have some basic idea of what's happening around you, before buying new equipment. All this could take quite a while, depending on your skill level.

BTW, you can get advice from wireless wizards from other technically more sophisticated forums, such as netstumbler.org

 

[fredweston]

Sounds like a ambitious project. Hope you don't bite off more than you can chew, because it's not that simple technically.

First of all, I can't imagine you could pull it off without using Linux. The best sniffer around is Kismet, which doesn't run on Windows in most circumstances and requires rfmon support with your wireless card on Linux, not to mention specific driver.

So my advice is, check your wireless card, install Linux, run Kismet and Ethereal, have some basic idea of what's happening around you, before buying new equipment. All this could take quite a while, depending on your skill level.

BTW, you can get advice from wireless wizards from other technically more sophisticated forums, such as netstumbler.org

You're making things more complicated than they need to be by involving kismet. Kismet is really useful is you need to see all the various wireless beacons and frames, etc but for raw traffic capturing you can't beat tcpdump or ethereal.

I wouldn't really call netstumbler.org the best place to get help with this type of thing either. He'd probably have better results posting somewhere like seattlewireless or bawug.

 

[dasli]

hm...try ProteMac Meter...