Ask Your Question
0

Help to set up a "pass through bridge" sniffer

asked 2017-12-28 04:11:24 +0000

wiresharkuser754372570 gravatar image

I would like to do the following scenario:

  • A laptop running Windows 10 with 1 Ethernet port. (The "Wireshark laptop".)

  • I will install a USB Ethernet dongle to the Wireshark laptop. Now the Wireshark laptop has two Ethernet ports.

  • Someone will hopefully tell us how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports. This can be Windows 10 configuration, or require installing commercial software.

  • There are other computers here. I will run Cat 5 from the other computers into Ethernet port 1 of the Wireshark laptop, and more Cat 5 from Ethernet port 2 of the Wireshark laptop to the Internet connection.

This will allow me to capture malicious outbound data. If you install Wireshark locally, viruses have enough kernel access that they can prevent Wireshark from "seeing" the outbound network data they send, so you must use an external sniffer. Basically I want to build a device to wiretap myself.

Could you please tell me how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports? In addition Wireshark needs to be able to sniff from either of these Ethernet ports.

Thank you for any help and advice.

edit retag flag offensive close merge delete

Comments

Yes, I know you asked for "Windows", but you can do this easily with Linux with brctl.

You can run a Live Linux (such as Kali) on your laptop, set up the bridge and run Wireshark to capture the traffic passing the bridge.

Uli gravatar imageUli ( 2017-12-28 14:52:01 +0000 )edit

Thanks. I might try it with Linux also.

wiresharkuser754372570 gravatar imagewiresharkuser754372570 ( 2018-01-01 22:43:38 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-01-19 04:37:10 +0000

wiresharkuser754372570 gravatar image

updated 2018-01-19 04:42:18 +0000

It worked.

I used a crossover CAT6 cable from the other computer to the Wireshark laptop.

I tried Bridge Connections but it didn't work. DHCP from the "Ethernet port 2" side (outside the Wireshark laptop) addressed both the Wireshark laptop and the other computer, but network transactions from either computer wouldn't work.

Instead, I used Internet Connection Sharing in Windows 10. This sets up an additional DHCP server to address the other computer.

When installing Wireshark, I selected all additional packages such as WinPCap. Once in Wireshark I selected the network interface associated with the other computer. It was named "Ethernet". This started real-time network monitoring.

Once in the data capture view the useful information was the IP and HTTP (application) layers. I could see IP layer transactions to see the destination IP addresses, and HTTP (non-HTTPS) showed me actual HTTP data. Without being able to decrypt encrypted application layer protocols, that may be the most that I can get out of this technique for detecting malware. Destination IP address is very useful, though.

Thank you for everyone's suggestions!

edit flag offensive delete link more
0

answered 2017-12-28 16:49:18 +0000

sindy gravatar image

updated 2018-01-02 06:45:59 +0000

While the validity of this answer may degrade over time as Microsoft keeps moving the network settings from the old, "Win7-like" way to the new one, you currently have to do the following:

  • most important point: use WinPcap, not Npcap, as Npcap for some reason cannot see the physical interfaces once they get enbridged
  • right-click the network symbol in system tray and choose "networks and internet" or right-click "Start" (the Windows icon) and then choose "network settings"
  • once there, choose the "network connections and sharing center" or whatever that item may be called in your Windows' language, it should open the "Win7-like" window
  • in the left column, click "change adapter settings", a new window with a list of all network cards opens
  • in that window, left-click one of the adaptors you want to enbridge, and then hold the Ctrl button and left-click the other one
  • now right-click any of them and choose "enbridge" (the 4th item from the top), a new "network card" will be created.

In Wireshark you have to capture at one of the physical adaptors, as the virtual one does not get the transiting packets (which is a correct behaviour).

The IP addresses of both physical interfaces, if assigned, are deactivated but remembered, so once you remove the bridge, they come back. On the contrary, whatever network configuration you set for the bridge, it is completely forgotten when you remove the bridge.

The bridge does not disappear automatically if you disconnect your USB Ethernet "card", so you can keep it (and its settings) long-term.

Something is telling me that the MAC address of the virtual network card is derived from the first physical one to be clicked, but I am not sure here. "Derived" means "or 01:00:00:00:00:00" (as in "setting the "private" bit).

There is one significant advantage of the suggestion of @Uli - if the malware targets Windows, it is better not to use them for capturing. At least I'd recommend to disable all protocols (IPv4, IPv6, IPX) on the virtual interface before connecting the infected machine.

edit flag offensive delete link more

Comments

Thanks for so many details. I'll get back to this thread after I try it, which may take some time. About your malware point, the possibly "infected" host is actually running Linux.

wiresharkuser754372570 gravatar imagewiresharkuser754372570 ( 2018-01-01 22:45:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2017-12-28 04:11:24 +0000

Seen: 22,107 times

Last updated: Jan 19 '18