What's the best way to wiretap a network?
Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk?
I'd have to say this depends on the media involved. ethernet switches allow the monitoring of specific ports (or entire vlans) in most cases. This can be done without impact (assuming nobody goofs on the ethernet switch config) to other people and limit the scope of packets inspected. Various vendors have their own monitoring solutions and port replication features. I seem to recall one customer of my employer saying how much they enjoyed the ability to tcpdump/inspect traffic on their Juniper routers. (with regards to a DoS attack we were working on tracking). - Jared On Sat, Jan 17, 2004 at 09:08:22PM -0500, Sean Donelan wrote:
Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk?
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
We've been using Shomiti taps for several years with good effect. All they do is copy all the data going through a segment (100bT in our case) to two ports, one for inbound, another for outbound. Now Finisar, they sell both copper and fiber taps for a variety of media, including Ethernet from 10Mbps to 10Gbps. They have been rock-solid, never missing a packet, and isolate the sniffer from the rest of the network. Of course, you then need to choose a packet analyzer/IDS to use with the tap. Doug On Sat, 17 Jan 2004, Jared Mauch wrote:
I'd have to say this depends on the media involved.
ethernet switches allow the monitoring of specific ports (or entire vlans) in most cases. This can be done without impact (assuming nobody goofs on the ethernet switch config) to other people and limit the scope of packets inspected.
Various vendors have their own monitoring solutions and port replication features. I seem to recall one customer of my employer saying how much they enjoyed the ability to tcpdump/inspect traffic on their Juniper routers. (with regards to a DoS attack we were working on tracking).
- Jared
On Sat, Jan 17, 2004 at 09:08:22PM -0500, Sean Donelan wrote:
Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk?
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Sat, 2004-01-17 at 21:08, Sean Donelan wrote:
Assuming lawful purposes, what is the best way to tap a network undetectable
The best way to go undetectable is easy, run the sniffer without an IP address. The best way to tap a network varies with your setup. If your repeated, just plug in and go. If your switched (which most of us are), you need to figure out how to get in the middle of the data stream you want to monitor. The best solution I've found is to use an Ethernet tap. It allows you to piggy back off of an existing connection and monitor all the traffic going to and from that system. Its pretty undetectable, does not use any additional switch ports, and allows you to run full duplex. A number of vendors sell them and a Google will give you sites on how to make them. You can plug a mini-hub in line and use that as a tap point to monitor the stream. Up side is its cheap and easy. Down side is you have to drop to half duplex. Not a problem in most situations but in some the drop in performance can be an issue. Many switch vendors include a copy or mirror port that allows you to replicate all traffic to and from a specific port, to some other port where you can plug in your sniffer. Up side here is ease of configuration. If you want to start monitoring a different port its a simple configuration change within your switch. Down side is you could end up missing packets (I've run into this myself). Seems when some/many switches get busy the first thing they stop doing is copying packets to the mirror port. There are tools out there like Dsniff and Ettercap that allow you to sniff in a switched environment. I recommend you avoid them because they tend to either work or hose your network. You don't want to DoS yourself. ;-)
to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk?
Sniffing is a passive function so its always possible you are going to miss data. It all depends on the capabilities of the box recording the packets. As for "risk", that's always there as well. For example check the Bugtraq archives and you are going to find exploits that work against tools like Tcpdump and Snort. The attacks go after the way the software processes the packet. So even if you are running without an IP address its possible that someone with malicious intent can DoS the box. HTH, C
Assuming lawful purposes, what is the best way to tap a network undetectable
... The best solution I've found is to use an Ethernet tap. It allows you to piggy back off of an existing connection and monitor all the traffic going to and from that system. Its pretty undetectable, does not use any additional switch ports, and allows you to run full duplex. A number of vendors sell them and a Google will give you sites on how to make them. ...
i hadn't thought of making my own -- that sounds like a fun project. for f-root, we've (isc) been installing the netoptics version of this: http://www.netoptics.com/products/product_family.asp?cid=1&Section=products&sid=439813.237927026&menuitem=1 works great. it's basically a hub, but with the interesting feature of letting you monitor TX and RX separately, and full duplex is preserved. (it takes 2x100Mbit to fully monitor a full duplex 100Mbit link.) it also fails into "connected" mode if power is dropped. so if both power blobs die, you lose monitoring, but not connectivity. there are also 1000-TX, 1000-SX, DS3, sonet and other versions, plus combos. i'm fairly sure that this is what law enforcement uses for wiretap warrants. -- Paul Vixie
In message <g3zncl5h0f.fsf@sa.vix.com>, Paul Vixie writes:
i'm fairly sure that this is what law enforcement uses for wiretap warrants.
I believe you're correct. In fact, I first learned of these devices from government documents during the Carnivore discussions a few years ago. --Steve Bellovin, http://www.research.att.com/~smb
On Sun, 18 Jan 2004, Steven M. Bellovin wrote:
In message <g3zncl5h0f.fsf@sa.vix.com>, Paul Vixie writes:
i'm fairly sure that this is what law enforcement uses for wiretap warrants.
I believe you're correct. In fact, I first learned of these devices from government documents during the Carnivore discussions a few years ago.
Lots of people seem to be making the assumption that all networks work the same way or everyone wants the same data. Tapping an OC192 SONET circuit is expensive, but relatively straightforward. Tapping a V.92 analog modem is expensive and not straightforward. Tapping WiFi-to-WiFi traffic is cheap, but only if you are local. A sniffer on an upstream switch won't see the traffic below a network access point. But a Title III warrant for "full content" is relatively difficult to obtain in the US. The public reports filed with the courts show a small percentage of wiretaps require full content. What's also interesting is if you read the various public submissions to many different working groups since the Carnivore discussions a few years a go, you'll notice a dramatic re-definition of more and more data as "call identification information" instead of "content." The public proposals also seems to be somewhat arbitrary which provider gets "tasked" with collecting the wiretap data. Should the first mile or last mile or middle mile provider be tasked with isolating call identification information and decoding it? So what is the best way to wiretap a target using public WiFi hotspots connected through multiple wholesale providers and service providers to collect call identificaiton information to call identification information about who the target is communicating with through multiple application protocols including Webmail, IM and massively multi-player role playing games.
participants (6)
-
Chris Brenton -
doug@nanog.con.com -
Jared Mauch -
Paul Vixie -
Sean Donelan -
Steven M. Bellovin