johnrw
10-02-2008, 11:15 PM
Ever wondered what that windows box is up to? What spyware has managed to get
inside your friend's pc? Knoppix makes it very easy to setup a network monitor.
This was an idea I had... and like most brainstorm's I get... someone else has already
had the same brainstorm. These folks... describe a basic howto using Knoppix 4.0.2(Man was I late!!) :)
http://www.networkoptimizationnews.com/Neworkmonitoringsetup.html
My trouble's began there. It was Knoppix 4.0.2. I was using 5.3.1!
Some time later... I had it working. Yes, after i downloaded 4.0.2 and confirmed
this actually DID work. Essentially, iptables was blocking the client pc.
The basic layout...
Windows Pc (Local Area Connection) plugs into (using a ethernet crossover cable)->Knoppix Host's eth1 port.
Knoppix Host's eth0 -> plugs into your Router, using an ordinary cat 5e cable.
The only thing unusual you will need to have (in hardware terms...) is:
The Knoppix Host machine needs to have 2 networking cards... IN<->OUT right?
(Time to drag out an old 3com pci card you saved from an old machine.)
A crossover cable or even just a crossover adapter.
In this howto...
Router is at 192.168.1.1 and giving out ip addresses.
Knoppix Host is at 192.168.1.149 (192.168.1.153 in the other howto)
Windows pc is getting it's address from the Router through the transparent bridge in Knoppix Host.
Turn your Windows pc off... if like most out there... it is set to get an ip address automatically.
Then booting up your Knoppix the usual way... you get to a root console in your favorite way as well.
Here is an amended script for later Knoppixes.
#!/bin/sh
Change these to fit your network layout.
UPSTREAMIP=192.168.1.1
# BRIDGEIP defaults to 192.168.1.153, mine was different.
BRIDGEIP=192.168.1.149
# Here we will turn off the firewall
# everything... so maybe saving the existing rules is prudent.
# Here's how to do that.
# iptables-save > /root/firewall.rules
# iptables-restore < /root/firewall.rules
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
Make sure some directories are there and writable.
[ ! -e /var/log/ntop ] && mkdir -p /var/log/ntop/rrd
[ ! -e /var/lib/ntop ] && mkdir -p /var/lib/ntop
[ -e /var/lib/ntop ] && chmod -R 777 /var/lib/ntop
[ -e /var/log/ntop ] && chmod -R 777 /var/log/ntop
# Lame test to check if it is already running... but...
brctl stp br0 off 2> /dev/null
if [ "$?" == "0" ]
then
echo "Killing existing bridge"
ifconfig br0 down
brctl delbr br0
fi
ifconfig eth1 down
ifconfig eth0 down
sleep 2
ifconfig eth0 promisc 0.0.0.0
ifconfig eth1 promisc 0.0.0.0
ifconfig eth0 up
ifconfig eth1 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 $BRIDGEIP netmask 255.255.255.0
ifconfig br0 up
sleep 2
route add default gw $UPSTREAMIP
Now at this point... the next thing I do is to make sure there is a routing table.
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
default Thibor 0.0.0.0 UG 0 0 0 br0
When you have done that... then typing route in a console
should give you something close to what I have here.
Notice now everything is going through br0
Here is the result of my ifconfig
br0 Link encap:Ethernet HWaddr 00:00:92:a7:07:70
inet addr:192.168.1.149 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::200:92ff:fea7:770/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:503 errors:0 dropped:0 overruns:0 frame:0
TX packets:152 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:124796 (121.8 KiB) TX bytes:15556 (15.1 KiB)
eth0 Link encap:Ethernet HWaddr 00:00:92:a7:07:70
inet6 addr: fe80::200:92ff:fea7:770/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:51540 errors:1 dropped:0 overruns:0 frame:0
TX packets:24984 errors:3 dropped:0 overruns:0 carrier:3
collisions:0 txqueuelen:1000
RX bytes:56747937 (54.1 MiB) TX bytes:7775600 (7.4 MiB)
Interrupt:11 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:00:92:a7:07:71
inet6 addr: fe80::200:92ff:fea7:771/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:24374 errors:1 dropped:0 overruns:0 frame:0
TX packets:40936 errors:3 dropped:0 overruns:0 carrier:3
collisions:0 txqueuelen:1000
RX bytes:7763838 (7.4 MiB) TX bytes:53734456 (51.2 MiB)
Interrupt:11 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:119 errors:0 dropped:0 overruns:0 frame:0
TX packets:119 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10484 (10.2 KiB) TX bytes:10484 (10.2 KiB)
You should be ready to install ntop now... if you...
A. br0 has been assigned the ip address you gave it.
B. You can ping google.com from your windows pc.
It may take a few, 30 seconds or so, for the bridge to become ready... so be sure to give it a little time.
Now do an
apt-get update
apt-get install ntop
The installation asked me what Interfaces I wished to monitor?
You can probably tell it to use br0. (I told it to monitor eth0 eth1 and br0, but mine wasn't working yet!)
You will then just need to type ntop to start the logging.
Then from a machine on your subnet... a open browser and navigate to 192.168.1.149:3000 to see what info
ntop had gathered. :)
I will post some pics... later. and make corrections etc...
Now you really can find out what the heck that windows machine is up to!
I'd recommend getting it all set up... and then just boot the windows machine and then let it just sit there...
you know... let it think nobody is watching it. :)
One more thing... when you first start ntop... it will ask you for a password.
When you try and log in using a browser, and click the admin tab... It is going to ask.
You should use the username "admin" along with your password.
Ok... here is a pic of ntop. I had just cleared the logfile.
http://home.comcast.net/~johnrw/snapshot3.png
inside your friend's pc? Knoppix makes it very easy to setup a network monitor.
This was an idea I had... and like most brainstorm's I get... someone else has already
had the same brainstorm. These folks... describe a basic howto using Knoppix 4.0.2(Man was I late!!) :)
http://www.networkoptimizationnews.com/Neworkmonitoringsetup.html
My trouble's began there. It was Knoppix 4.0.2. I was using 5.3.1!
Some time later... I had it working. Yes, after i downloaded 4.0.2 and confirmed
this actually DID work. Essentially, iptables was blocking the client pc.
The basic layout...
Windows Pc (Local Area Connection) plugs into (using a ethernet crossover cable)->Knoppix Host's eth1 port.
Knoppix Host's eth0 -> plugs into your Router, using an ordinary cat 5e cable.
The only thing unusual you will need to have (in hardware terms...) is:
The Knoppix Host machine needs to have 2 networking cards... IN<->OUT right?
(Time to drag out an old 3com pci card you saved from an old machine.)
A crossover cable or even just a crossover adapter.
In this howto...
Router is at 192.168.1.1 and giving out ip addresses.
Knoppix Host is at 192.168.1.149 (192.168.1.153 in the other howto)
Windows pc is getting it's address from the Router through the transparent bridge in Knoppix Host.
Turn your Windows pc off... if like most out there... it is set to get an ip address automatically.
Then booting up your Knoppix the usual way... you get to a root console in your favorite way as well.
Here is an amended script for later Knoppixes.
#!/bin/sh
Change these to fit your network layout.
UPSTREAMIP=192.168.1.1
# BRIDGEIP defaults to 192.168.1.153, mine was different.
BRIDGEIP=192.168.1.149
# Here we will turn off the firewall
# everything... so maybe saving the existing rules is prudent.
# Here's how to do that.
# iptables-save > /root/firewall.rules
# iptables-restore < /root/firewall.rules
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
Make sure some directories are there and writable.
[ ! -e /var/log/ntop ] && mkdir -p /var/log/ntop/rrd
[ ! -e /var/lib/ntop ] && mkdir -p /var/lib/ntop
[ -e /var/lib/ntop ] && chmod -R 777 /var/lib/ntop
[ -e /var/log/ntop ] && chmod -R 777 /var/log/ntop
# Lame test to check if it is already running... but...
brctl stp br0 off 2> /dev/null
if [ "$?" == "0" ]
then
echo "Killing existing bridge"
ifconfig br0 down
brctl delbr br0
fi
ifconfig eth1 down
ifconfig eth0 down
sleep 2
ifconfig eth0 promisc 0.0.0.0
ifconfig eth1 promisc 0.0.0.0
ifconfig eth0 up
ifconfig eth1 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 $BRIDGEIP netmask 255.255.255.0
ifconfig br0 up
sleep 2
route add default gw $UPSTREAMIP
Now at this point... the next thing I do is to make sure there is a routing table.
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
default Thibor 0.0.0.0 UG 0 0 0 br0
When you have done that... then typing route in a console
should give you something close to what I have here.
Notice now everything is going through br0
Here is the result of my ifconfig
br0 Link encap:Ethernet HWaddr 00:00:92:a7:07:70
inet addr:192.168.1.149 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::200:92ff:fea7:770/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:503 errors:0 dropped:0 overruns:0 frame:0
TX packets:152 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:124796 (121.8 KiB) TX bytes:15556 (15.1 KiB)
eth0 Link encap:Ethernet HWaddr 00:00:92:a7:07:70
inet6 addr: fe80::200:92ff:fea7:770/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:51540 errors:1 dropped:0 overruns:0 frame:0
TX packets:24984 errors:3 dropped:0 overruns:0 carrier:3
collisions:0 txqueuelen:1000
RX bytes:56747937 (54.1 MiB) TX bytes:7775600 (7.4 MiB)
Interrupt:11 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:00:92:a7:07:71
inet6 addr: fe80::200:92ff:fea7:771/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:24374 errors:1 dropped:0 overruns:0 frame:0
TX packets:40936 errors:3 dropped:0 overruns:0 carrier:3
collisions:0 txqueuelen:1000
RX bytes:7763838 (7.4 MiB) TX bytes:53734456 (51.2 MiB)
Interrupt:11 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:119 errors:0 dropped:0 overruns:0 frame:0
TX packets:119 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10484 (10.2 KiB) TX bytes:10484 (10.2 KiB)
You should be ready to install ntop now... if you...
A. br0 has been assigned the ip address you gave it.
B. You can ping google.com from your windows pc.
It may take a few, 30 seconds or so, for the bridge to become ready... so be sure to give it a little time.
Now do an
apt-get update
apt-get install ntop
The installation asked me what Interfaces I wished to monitor?
You can probably tell it to use br0. (I told it to monitor eth0 eth1 and br0, but mine wasn't working yet!)
You will then just need to type ntop to start the logging.
Then from a machine on your subnet... a open browser and navigate to 192.168.1.149:3000 to see what info
ntop had gathered. :)
I will post some pics... later. and make corrections etc...
Now you really can find out what the heck that windows machine is up to!
I'd recommend getting it all set up... and then just boot the windows machine and then let it just sit there...
you know... let it think nobody is watching it. :)
One more thing... when you first start ntop... it will ask you for a password.
When you try and log in using a browser, and click the admin tab... It is going to ask.
You should use the username "admin" along with your password.
Ok... here is a pic of ntop. I had just cleared the logfile.
http://home.comcast.net/~johnrw/snapshot3.png