1. Home
  2. Networking Firewalls
  3. cannot capture traffic between dsl modem and firewall

cannot capture traffic between dsl modem and firewall

I have a dsl modem that is plugged into a firewall/VPN box. I wanted to monitor what goes on between the ISP gateway and my firewall so I got a simple hub and inserted it between DSL modem and firewall.

I then configured by laptop with an IP address on the same subnet as my external ip (this may be optional if I remember correctly a card placed in promiscuous mode should get all the traffic anyway)

I then plugged the laptop into the hub and got Ethereal packet sniffer running on the laptop

Here's my problem. I am not able to see all of the traffic!

I see mostly ARP messages and occasionally TCP and UDP packets between hosts that are outside of my LAN (small surprise here)

But I do not see my attempts to access internet which successfully traverse that same firewall and come back with data through that same hub. I find this alarmingly weird.

Does anybody know if there is a reason for this ? Really appreciate help on this one.

-amerphy

Reply to
amerphy
Loading thread data ...

is your firewall logging in via PPOE or something? you may not see the pure traffic but rather have to look for the encoded traffic, ethereal probably can do something with it via one of its protocol modules, but if the transfer is encrypted.... ?

nrf

Reply to
nrf

I would say that you have a switch and not a true hub installed. Those ARP and few TCP/UPD traffic you are seeing is most likely broadcasts. To do what you want you are going to have to have a true hub that spits out the traffic on all ports. A switch will only send traffic to the port it is intended to goto where as a broadcast is supposed to be sent out all ports.

Reply to
Robert

I was just trying to observe non-encrypted traffic for now so I should still see it.

Encrypted or not, the underlying transport should be recognizable to sniffer. Even PPOE would still be some form of recognizable traffic for ethereal to capture.

Its almost like I have a switch and not a hub there, but it says quite clearly right on the front panel: "5 port 10/100 hub" it is an inexpensive hub made by Linksys. I am perplexed.

-amerphy

Reply to
amerphy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.