Hello , I have a pfSense installed as a Router in my local network , I have Installed WireShark on pfSense & am able to trace all the packets passing through LAN or wlan in my local network. but how can i trace the traffic of subnets under my local network. ? I need to trace the client who are connected with the subnet which is created by making hotspots on local network . I tried with the following approach on CLI but did not get desired information :- http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/ Thanks in Advance asked 05 Nov '15, 00:48  user5901 |
One Answer:
I'm not 100% certain that you are using the correct terminology for subnetworks. Normally, if we say our company network is 10.0.0.0/8, (so we are using all of 10.x.x.x), we might then break this down into subnetworks like 10.0.1.0/24, and 10.0.2.0/24 (each subnet having an address space of 254 hosts). We would then have a router say with gateway address 10.0.1.1 and 10.0.2.1 routing between those subnetworks. If this is what you mean and all of the traffic you want to see is visible to pfSense on your router, then you could capture traffic just for the 2nd subnet with the capture filter "net 10.0.2.0/24". If however by subnetworks, you mean traffic that is local to a particular LAN and might not all reach the router you mention, you will need to use something like port-mirroring on a switch with an interface in that subnetwork, and then capture that on a PC running Wireshark. answered 05 Nov '15, 03:31  martyvis |
Thanks for your answer.
Let me explain my architecture to you, I have a local network of 192.168.1.0/24 and I can monitor all the LAN/WLAN traffic of this network. Now Let us suppose if a user with ip 192.168.1.10 makes a hotspot/wifi using his system and creates a subnetwork of 10.10.2.0/24 range. So,will I be able to detect the traffic/Packets of this subnetwork which is created by making hotspots. ?
Supposing your pfSense is the only gateway from 192.168.1.0/24 to the outside world:
you WILL be able to see the traffic which goes between 10.10.2.0/24 and the outside world,
you WILL NOT be able to see the traffic which runs inside the 10.10.2.0/24 (between the "hotspot" users).
Now, I suppose that in order to allow bi-directional traffic between 10.10.2.0/24 and the outside world, the 192.168.1.10 has to apply NAT on the traffic which goes from 10.10.2.0/24 to the outside world, because otherwise you would not forward the response packets for 10.10.2.0/24's requests to 192.168.1.10, as you probably haven't set up "route -net 10.10.2.0/24 gw 192.168.1.10" in your pfSense.
If the above is true, then you'll see all the traffic between 10.10.2.0/24 and the outside world, but its "local side" IP address will always be 192.168.1.10 in your captures. So you will not be able to reliably tell 192.168.1.10's own traffic from the traffic of the 10.10.2.0/24 members hidden behind 192.168.1.10.
Basically, if the 10.10.2.0/24 network is being NAT'd to the 192.168.1.10 address, then NO, you will not see any source IP addresses from the 10.10.2.0 network nor will you see any L2 MAC addresses as a source other than the 192.168.1.10 device.
The only way you might suspect this, is due to a sudden increase in traffic to/from that particular address.
Best to just use a wifi tool such as kismet or inSSIDer to periodically detect rogue AP's within your office.