Ask Your Question
0

Capturing packets from ISP side of router

asked 2022-03-31 01:37:17 +0000

DoctorBrown gravatar image

I'm having an issue where intermittently DNS requests time out. I have the standard ISP cable connection, a modem and a Linksys Mesh router. Most of the time everything is working fine. Good download speed, no issues connecting to internet web sites and all. Intermittently, I get the error that a website can't be found. When I jump into a cmd window, and issue a nslookup to a node at my ISP, the requests timeout. If I use the ISPs DNS address, (NSLOOKUP imap.myisp.com <isp addr="" dns="" server=""> )the request succeeds. so it looks like my router is not forwarding the DNS request. BTW, when this is occurring, all existing connections continue, no dropped connections, no drop outs logged by the modem or router.</isp>

If I configure the ISPs DNS server addresses in my PC Ethernet config, I don't see the issue.

I can't tell if the IPS is causing the issue or my router. To verify, I think I would need to capture the traffic on the internet side of the router. Is this even possible? If so, how? If I put a Managed switch in line and setup a port for Mirroring, would that work? Would the monitoring computer be visible on the ISPs network?

I've called the cable company and they didn't see any issues on their side. I called the router company and they couldn't help. Any ideas on how to narrow this down?

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2022-03-31 19:42:04 +0000

André gravatar image

If I understand it correctly you have a (wired) Ethernet cable between the modem and the Linksys Mesh router and the modem is truly a modem (not doing routing, firewalling, NAT, etc.). Then capturing on the WAN side is basically the same as on the LAN side.

A tap will work.

A switch with monitor function will also work, provided the ISP does not check for or require specific MAC-addresses. Depending on the model of the switch you may have to disable the 'packet injection' feature.

edit flag offensive delete link more

Comments

Yes you understood exactly. Thank you, that what I was thinking, but just wanted to be sure. I'm just a typical home user that usually only uses (or is allowed) one device with a WAN IP address.

DoctorBrown gravatar imageDoctorBrown ( 2022-03-31 20:03:02 +0000 )edit
0

answered 2022-03-31 06:15:06 +0000

Vtechie gravatar image

You could call the FCC and ask if it is legal to set up a port mirroring, let them know what is happening, they maybe able to suggest something to you. If not just try the switch and port mirroring anyway.

I connected my computer to the modem from my ISP and got traffic, packet captures to see what was happening and that is a mess.

edit flag offensive delete link more

Comments

Yes, I know that connecting your computer (as the only node) works, but what I'm doing is connecting a second device to the internet side. I'm not sure what happens then. Does the ISPs gateway assign a second IP to the connection? or is it blocked, or something else.

Sure I could just try it and see what happens. I might do that.

Re: FCC, that might be a little risky given all the hacking I've been doing lately. LOL.

DoctorBrown gravatar imageDoctorBrown ( 2022-03-31 06:26:52 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2022-03-31 01:27:55 +0000

Seen: 1,132 times

Last updated: Mar 31 '22