Build an Open Source Network Sniffer

An anonymous reader writes "This article reviews common issues of wireless security, and shows how to use open source software to suss out wireless networks, get information about them, and start recognizing common security problems. You will learn how build a lightweight wireless sniffer that runs on open source software and see how simple it is to interact with wireless networks."

What I really want

[nizo]

Rather than yet another wireless sniffing tool, what I really want is a linux firewall that sits between my wireless router and the rest of the world that tosses traffic from unauthenticated IP addresses (you could authenticate with, say, ssh or perhaps by hitting an SSL protected web form). Until the newly connected machine authenticates itself the firewall would squelch all outgoing traffic. It seems like this wouldn't be too hard to write, but before reinventing the wheel has anyone heard of such a thing? It would at least help keep random people from using our wireless network to surf the web (it is already outside of our firewall to help protect the rest of our network). I am all for allowing freebie wireless access to the masses, but I am not too keen on letting Joe Wardriver download kiddie porn from our work DSL either. This kind of tool seems like it would be useful to use in conjunction with a lowend wireless router.

Re:What I really want

[ZiZ]

What you really want is something like NoCatAuth (described nicely by this article. There are plenty of other similar solutions out there - look for 'linux wireless authentication gateway' or something similar on your favorite search engine.

Re:What I really want

[heavy+snowfall]

Try ipcop, it can split off your network into a wireless part and a wired part, and even add a third zone for public servers. The wireless part defaults to not giving access to either the internet or your other, wired computers, and you have to add mac addresses to a table for wireless clients to be able to connect. And it has nice graphs too, so you can see if someone's using your connection. Use this with WPA and vpn maybe. If you want more security, use wired lan instead.

Re:What I really want

[nizo]

Thanks, that certainly looks like it may be what I am looking for.

Re:What I really want

[john_g_galt]

Sounds like you like something like this?

From the website above:

"NetReg is an automated system that requires an unknown DHCP client to register their hardware before gaining full network access. Through a simple web interface, the client is prompted for their user identification. Powerful scripts then retrieve the client's network fingerprint and store it along with the user's information in a database. The database provides administrators with real-time information for troubleshooting and auditing their networks. The entire system was developed utilizing unmodified, open-source servers and in-house developed CGI programs."

Re:What I really want

[nizo]

...add mac addresses to a table for wireless clients...

Sadly this isn't very secure, since mac addresses can be faked (my wireless router already has this feature built-in). However it looks like ipcop has other types of authentication too [Version 0.2 of IPCop will include an Amber Zone (Wireless DMZ) which will support CIPE, IPSec or VPNd encrypted connections among other things] so I will check it out :-)

Re:What I really want

[nizo]

Interesting, I did search for "authenticated DHCP" earlier but didn't find this for some reason. I currently allow the wireless router to act as the DHCP server, but it has the option to allow another host to do this. Thanks for the link!

Re:What I really want

[heavy+snowfall]

I know they can be faked, but it's still much better that if someone wants access to your network, they have to spend some time trying to figure out your mac and ip addresses than not, IMO.

It's more of a deterrent than an unbreakable security measure, but add enough deterrents and that wardriver might just use your neighbours unsecured network instead.

And if they manage to get access, they still have to crack an iptables firewall to get to your servers. Good enough for me.

Re:What I really want

[john_g_galt]

No problem. I remembered it from a Sys Admin magazine a while back, so I think it's been in production for a few years and is probably fairly stable. That said...I've never used it ;)

Re:What I really want

[MeanJeans]

The problem with IPCop and Smoothwall for that matter, is the inability to filter traffic outbound. All traffic originating on the "Green" (inside or internal) interface is permitted. Nachia and Slammer will fly right through this config. Any worm or virus or trojan that tries to use TFTP to download more tools will also be successful.

Permitting only the traffic that needs to traverse a firewall IN ALL DIRECTIONS is a basic firewall/security concept.

Re:What I really want

[Peyna]

Considering the number of entirely open networks out there, I expect most people will just drive onto the next one unless they know you have something valuable on your network that they really want. For the average home user, WEP + MAC Address filtering is enough security to make the wardriver go to the next house. If you're a business with your name on the outside of the building though, you might have people that will be willing to try a little more to get access to your network.

(I did this when I first moved into my apartment, since I wasn't going to have cable hooked up for 3 weeks, I just took my laptop and walked around until I found a few open networks and used them for Internet access.)

Re:What I really want

[MeanJeans]

Let me clarify my last post. If a machine on your IPCop/Smoothwall protected network is compromised, then any outbound connections that these worms/virus/trojans/attackers make, will successfully traverse the firewall.

In the case of a worm like Slammer, it will be able to further propogate, Nachia will be able to flood your ISP connection, an attacker will be able to download a toolkit, etc...

Re:What I really want

[matuscak]

The problem with IPCop and Smoothwall for that matter, is the inability to filter traffic outbound.

But one of the neat things about IPcop is that it's one of them open source things. So while youre quite correct that the pretty GUI doesnt have an interface for egress filtering, you *can* hop into the shell and add in the iptables commands of your choice.

Re:What I really want

[MeanJeans]

But one of the neat things about IPcop is that it's one of them open source things. So while youre quite correct that the pretty GUI doesnt have an interface for egress filtering, you *can* hop into the shell and add in the iptables commands of your choice.

True. And I have done this with my own Smoothwall box. It would be nice to have this in the GUI. I believe it must be there before either of these firewall packages can claim that they can/should be used in business enviornments as is.

To answer your next comment, I am not proficent enough at programming to offer to add these fuctions to the GUI. I can only be a critic...

Re:What I really want

[Old+Telco+Guy]

You know, I really like the look of IPCop, but one thing I didn't see when I looked at the manual and screenshots is support for outbound traffic rules. I like to deny all outbound traffic by default, and then enable particular services from particular boxes (such as POP to my ISP's mail server, HTTP/S from my LAN Squid box, etc.)

For the life of me, I can't see where you'd codify that in IPCop. It seems to assume that the only traffic that needs to be regulated is inbound traffic. Prove me wrong and I'll gladly invest the time in putting together and experimenting with an IPCop box.

Re:What I really want

Have you looked into PublicIP? It's easy to set up and runs off a live distro.

Re:What I really want

[heavy+snowfall]

It shouldn't be that complicated, I might give it a try some time later this week.
I'll contribute it if it turns out well.

Re:What I really want

[MeanJeans]

That would be sweet. I haven't looked into it. I don't know if they use perl or php or what for the web interface. You're right though, it probably isn't that involved.

Re:What I really want

[pclminion]

You can accomplish what you want with VPNs. The WAP exists in a little isolated world along with a VPN server. Clients connect to the AP and have to log in to the VPN in order to go anywhere "real."

The particular choice of VPN client/server software depends on the types of clients you'll want to allow, etc.

Re:What I really want

[marcansoft]

How about a plain apache+ssh/whatever authentication server with a form (php or whatever) that calls a script to add an iptables rule? seems simple enough to me...

Re:What I really want

Microsofts ISA (Internet Security / Accelerator) is an awesome firewall tool.

Absolutely stable, a breeze to configure, secure and filters trafic in both directions as well as allowing an arbitrary zone setup. Not to mention the protocol filters built in (read only ftp? no problem!).

Sweet.

Re:What I really want

having your apache add an uptables rule?

whatever!

Re:What I really want

[marcansoft]

having your apache either notify a daemon or send the ip address to a sudo script that does basic sanity checks before adding the rule

no, i'm not THAT crazy to run my php scripts as root :-)

Re:What I really want

[Saint+Aardvark]

This might do what you want:

http://openbsd.org/faq/pf/authpf.html

Re:What I really want

[Jjeff1]

What you've described is exactly what MIT uses on their network. They have a large number of both wireless and wired access places. I'd assume some googling on their site might get you a little information.
Attach a forgeign computer and it prompts you to login. Non MIT users are prompted for name and email and only allowed 15 days access per year.
Apparently they key everything via MAC address. I let a friend borrow my old wireless NIC, when he went to register it welcomed ME back. I hadn't used the NIC in a year.

Re:What I really want

You want a CN1250:

http://www.colubris.com/Content.aspx?id=245

Re:What I really want

[Triffid_Hunter]

did it with samba.

mount network drive -> add a few entries in the firewall
unmount -> remove entries

works a treat when all your tables are default drop ;)

Re:What I really want

Your looking for a captive portal. NoCatAuth is available as someone's already mentioned, but there's also a firewall project with one built in called m0n0wall http://m0n0.ch/wall/

Re:What I really want

[Bert64]

And it's expensive, so you may aswell buy another commercial offering like checkpoint, which is far more powerfull...
ISA also cannot handle the same throughput of a checkpoint or a unix firewall on the same hardware.. I was working at a site using one just last week and it was constantly causing trouble, despite there being 6 of them supposedly load balanced.. And the ISA service itself depends on so many other things such as RPC and DCOM, things that really have no place whatsoever on a firewall.
And the name.. ISA is still associated with slow old isa cards.

Re:What I really want

Version 0.2? I don't know what web site you're reading, but I'm currently using v1.4 of IPCop.

Re:What I really want

[Syberghost]

Sounds like what you really need is FreeRADIUS on the Linux box, and WPA on the wireless router.

Assuming you were looking for accomplishing all of that and didn't care whether the buzzword "firewall" was involved.

Re:What I really want

[kjs3]

I wouldn't use CIPE. Unless something has dramaticly changed, it has some major problems. Please see:

http://diswww.mit.edu/bloom-picayune/crypto/14238

and

http://www.politechbot.com/pipermail/politech/2003 -September/000038.html

They may have fixed this. I dunno, since the reaction of people on the list to this analysis made me write the whole thing off and unsubscribe.

Network "sniffer"?

[ZiZ]

While this tool that TFA references and builds is a pretty neat interface to viewing broadcast-SSID access points, I don't think it really qualifies as a 'sniffer', because it doesn't deal at all with sniffing packets, detecting non-broadcast-SSID access points, or anything along those lines.

It is, however, a pretty neat text-only interface to enumerate broadcasting APs, and honestly, the code for the interface makes for more interesting examination than the code for the 'sniffing'.

Why not

just get a WPA-enabled wireless router?

Re:Why not

[Nosf3ratu]

short answer: they're not as available as they should be.

Re:Why not

[Directrix1]

Exactly so here is my method to solve this problem:
* Buy wireless AP and a linux box with 2 NICs
* Hook one NIC to your network the other NIC to the wireless AP
* Download and install OpenVPN on your linux box
* Setup iptables to DROP all packets being forwarded from the outside NIC to the inside and vice versa:

# Assuming:
# * eth0 is the outside NIC
# * eth1 is the inside NIC
# * Default iptables policy is ALLOW
# * Your linux kernel supports iptables,
# and routing
iptables -A FORWARD -i eth0 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
echo 1 >> /proc/sys/net/ipv4/ip_forward

* Install OpenVPN on all clients and point them to the outside NIC as the remote server

This way only VPNInside NIC packets will traverse your linux box, and everything will be encrypted with as big a key as you want. So you could just set up your AP without a WEP key and not worry (assuming you are using some key to encrypt the communications with OpenVPN, which you should). Have Fun!

Commercial Sniffer Applications

Has anyone actually looked at the cost of commercial "Sniffer" devices? Network General (Formally Network Associates) sells a version that is outragiously priced. Granted, it does have additional functionality, but all you need is a Sniffer. I wonder how a company can sell such a half-assed product, and why people would still buy it. Ethereal is a really nice "free" program to use, and there are many other ways to get a NIC to display everything flowing through it.

Re:Commercial Sniffer Applications

[dustinbarbour]

I'm part of a federally-funded research team working on wireless security and internet forensics and we use AirMagnet to sniff packets.

Re:Commercial Sniffer Applications

The reason Network General sells Sniffer as software so well is the functionality that is built in, but also the assurnce that it works as advertised with the supported NICS.

Distributed sniffer sells because it can keep up with it's rated capacity, 2GB/s (the one I use) without dropping a single frame and the pre/post filters are great for slicing and dicing data. I can get to it from almost anywhere, and I don't have to monkey with it.

I am very grateful for the work done in open source projects and I support the ones I use with donations, but there are times when I need a commercial product.

Re:Commercial Sniffer Applications

[ebyrob]

...federally-funded...AirMagnet...

Um... ya, I'm guessing when the parent poster said "outragiously priced" they had products just like yours in mind. I mean, if the price *isn't even listed* on their website then you probably can't, or don't want to, afford it.

Better yet

WPA w/ a radius server running on that linux box.

Re:Better yet

[Thud457]

You wanna sniff WHAT now?!!!

That's gonna cost extra...

Wow, what a great article.

[thegnu]

I have bookmarked it. This is the kind of crap I love. I just today acquired a Cassiopeia E100 for free, and I'm going to a)install Linux on it, and b)see if I can get wireless running on it. This is gonna be awesome.

My favorite software slogan ever is for ethereal, "Sniffing the glue that holds the internet together"

I'm sure a lot of you know this but this is in reference to TCP/IP being called "the glue that holds the internet together" Oh so funny. And oh so off-topic. I'm sorry. I love you guys.

Re:Wow, what a great article.

I just today acquired a Cassiopeia E100 for free, and I'm going to a)install Linux on it, and b)see if I can get wireless running on it.

Good luck with that. If you get Linux running on the E100 with a usable interface, make a webpage or post an article. Been trying to get Linux with a decent interface to run on a E105 for quite awhile. Not as easy as it seems.

Re:Wow, what a great article.

[John+Hurliman]

After reading this post I'm thinking TCP/IP packets should be added to the DEA controlled substances list.

Re:Wow, what a great article.

There is supposed to exist a pocketlinux distro that runs on the E-105 but the image seems to have vanished off the internet. I have found the ipaq version, but that doesn't really help.

Re:Wow, what a great article.

[Scott7477]

The great thing about this article is that it is posted on IBM's website. I had no idea that they had this kind of stuff on their site. I get to like IBM more and more each day.

Re:Wow, what a great article.

Mod parent up!

--------
Slow Down Cowboy!

Slashdot requires you to wait 20 seconds between hitting 'reply' and submitting a comment.

It's been 8 seconds since you hit 'reply'.

Don't surf 'n drive!

[AchilleTalon]

"During testing for this article, I had a recurring problem: my equipment kept accidentally picking up networks other than the ones I wanted to test. In fact, my laptop has found wireless networks to associate with while I'm traveling on the freeway!"

I wonder which freeway it was. I drived Montreal down to Dover DE, crossing Newark NY and Albany NY and I left kismet open and I never picked a signal. Maybe I was driving too fast. ;-)

Linksys WRT54G/GS

[adamjaskie]

Its sold as a "router", but what it really is is a little plastic box with a 200MHz MIPS embedded computer running Linux. You can replace the firmware with something like Sveasoft's modified version, that allows you to SSH into it, and run something like Snort on it. You can turn off the onboard wireless card if you don't need it, and disconnect the antennas for an even more compact device. Without the radio going, it probably won't even put out much heat.

Simple hardware solution

[pp]

Get a Linksys WRT54G (no need for GS even, you're just going to use it for sniffing), stick openwrt on it, put kismet_drone on it and off you go. Gives you your wlan traffic over good old Ethernet, and costs something like $65 nowadays.

Or you can buy a $30-50 card for your PC which might or might not be able to do monitor mode depending on your drivers, and might or might not reliably go into monitor mode depending on the exact sequence of iwconfig/ifconfig/catting stuff into files in /proc you are doing and finally might or might not show you all the packets since the firmware hides them from you.

Of course if you're running around with a laptop the Linksys option is a bit tricky since you need to feed power to it. For basic indoor problem-solving it's unbeatable. Unless someone comes up with a reliable source for prism2.5/3's.

Still need to find a good 802.11a solution though.

Re:Simple hardware solution

[adamjaskie]

The GS has twice the RAM and NVRAM of the regular WRT54G. This can be helpful as far as running packet sniffing apps on it is concerned.

Re:Simple hardware solution

[SIGBUS]

The Proxim Orinoco b/g and a/b/g cards work nicely with the madwifi drivers. Not yet plug-and-play right now, but once it's set up it works very well. Be sure to grab the latest snapshot of Kismet.

Re:Simple hardware solution

SMC2532W-B

200mw transmit and a very sensitive receiver.

It works fine with the orinoco drivers.

Re:Simple hardware solution

[Jon+Howard]

The WRT54G cannot do channel-hopping monitor mode. See the Kismet mailing list for confirmation. I have a hack I use which loops 'wl scan' to keep switching channels automagically. I admit it's cheap, but it work well enough for my needs.

Re:Simple hardware solution

[Bert64]

The newer a/b/g cisco cards work nicely too, also with the madwifi drivers... I don't know if there's any other a/g cards which work for sniffing

RE: Cassiopeia E100

You forgot... "c) Take over the world!"

Project box disappointment

[tomofdarknesss]

After the article yesterday (the day before?) with the Altoids tin MP3 player, I thought this was going to be another project like that and got my hopes up. Oh well. :)

The problems with Open Source Sniffers

Unfortunately, sniffers are one area that Open Source solutions fail miserably; at least with modern high-speed networks. And there isn't any easy solution around this. Granted, we're talking in the 100-1000 Mbs range; but the wireless folks are moving in that direction.

There's a paper which discusses the problem quite well: http://luca.ntop.org/Ring.pdf

The thing which I found surprising is how awful Linux stood up to the tests. The standard Linux kernel + stack was dropping the majority of packets; and only with special tweaks was it able to get to capturing 93% of the packets. But 93% still isn't 100%, which is what commercial sniffers have been doing since the DOS days.

So the bottom line here is:
1. Don't use off-the-shelf BSD or Linux without serious tweaking.
2. Even then you'll still be dropping packets.

What is also interesting is that MS Windows isn't close to supporting this type of technology, which means the MS servers are going to be in serious trouble as more people adopt Gigabit networks.

Re:The problems with Open Source Sniffers

Nope, that's not a troll. Please go read the paper. Linux has too much overhead when handling interrupts.

I suppose you can stick your head in the sand, but unless you know how to deal with this, you're misleading people if you think you're actually capturing packets on a high-speed network.

This is actually an important problem for those of us who are trying to use Linux in this area; and this is the first paper I've seen which actually describes the problem, how to reproduce it, and some work-arounds for it (but no real fix).

Wireless and Open Source, the sad story

Current status is pretty poor. Well, it isn't if you consider "open source" some stub code with a binary object file for Linux.

Here, I would like to call everyone's attention so people get rid of the cloth in front of the eyes and see the real status: some do NOT provide info, like Conexant for their new generation prism54 (Intersil did for the first gen), Intel for their 2100 or 2200 chips or TI for the acx100. Others provide binary only drivers, like Atheros (dig in the OpenBSD source, they reverse engineered the atheros hw abstraction layer). If they do not want to help at all, fine, but do not say they are nice for PR reasons.

For me "Open Source Network Sniffer" covers the full kernel and the apps used for the sniffing. Please, think twice before affirming something is open source (binary drivers are not, even if the stub code is open source) and also that the company is open source friendly (provide help to Linux, *BSD and similar coders, maybe even the driver, is). At this moment, the only few I know that still are pro open source drivers, or even provide support (if my investigation isn't wrong), are Realtek and Ralink (and Intersil, but it doesn't exist anymore).

And for those that think binary is better than nothing... then why *BSD or Linux at all? If it starts with "but is wifi card" or "well, it is only the video card", I don't see why not apply that logic to the OS anyway, or all the apps too.

Thanks for your attention.

wireless tools for linux...

[jdrake]

all I am after, is a simple tool to switch networks on the fly... I can make wireless work great, but if I don't connect to the network I want the first try, I am stuck...

kismet requires special drivers to scan, but if you figure that winxp comes with a simple interface for this built-in, it's kinda depressing that we can't seem to build a good tool that can do that, list the available networks, and give a good connect to them.. (without beating my head on the kernel modules, been there, it hurts, especially when you go to upgrade the kernel) so anyone know of anythign simple that a newbie who's been around too long to be a newbie, like me hasn't found yet? that's been what i've been digging around for a while to find...

currently using a dell truemobile 1150 pcmcia, and fedora core 2... kernel is 2.6.8-521.. off the top of my head, I think that's right, but is there a universal solution? that's the real question...

Re:wireless tools for linux...

system-config-network does a little what you want. It's the weirdest interface I've ever seen, but when you get the hang of it, it kinda works.

Re:wireless tools for linux...

[Triffid_Hunter]

i wrote a pair of perl scripts on a friends laptop that stores all the networks it sees, regurgitates a list on request and will connect to a given name.

the whole thing was about 2 pages of code, and only used the wireless-tools package...

read the manual for iwconfig and associated tools ;)

Re:Crotchbusters

[Ungrounded+Lightning]

I'd prefer to build an open source panty sniffer.

Start by obtaining a beagle.

Not really want I was looking for....

[poofyhairguy82]

The article looks promising until I see lines of code instead of nice screenshots. Does anyone know a good GUI tool for Linux (built with something like QT or GTK) that is free (like speech) that allows me to find broadcasted SSID's in my area?

Windows users love to rub in how easily their linksys tools do this for them... I want an equivalent for my Ubuntu box.

I am the new wave of Linux users- "the more GUI the better" (TM).

Re:Not really want I was looking for....

[Raleel]

Kismet itself will do this. It comes with an ncurses based gui, which might not be what you want, but it is plenty when all you are looking for is "wep/nowep" and ssid.

check out gkismet... that'll give you the gui.

Re:Not really want I was looking for....

[MimsyBoro]

I installed something called kwifimanager (notice the KDE k there) Works great...

Re:Not really want I was looking for....

[mrogers]

The program's just a Perl script that parses the output of wiconfig and presents it in a curses interface. You could rewrite it in Python and stick the output in a PyGTK text box instead.

Re:Not really want I was looking for....

[mecos]

Wellenreiter is an excellent tool - it does RFMON once your card supports it, is Perl/GTk so you can easily modify it and also stacks up there with Kismet (with the gKismet UI) and Mognet.

OK, but a bit disappointing

[routergod]

This looks interesting in a general way, but it's not really a sniffer is it?

When I see sniffer I think something that captures packets and does at least a basic protocol decode on them (ie. SnifferPro - overpriced though it is, or Ethereal - great free package).

Am I missing something or is this just a OSS tool to enumerate wireless networks?

threads?

[trb]

Thanks to the magic of threading, this data can be updated dynamically. In the sample code there's a thread that reruns wiconfig regularly (about every second), repopulating the array with current data, which is displayed by the display thread.

I don't understand why this project needs the magic of threads instead of just sockets.

Re:threads?

[seebs]

Well, you can do it lots of ways. I even said the threading was "an experiment". :)

Personally, if I were doing this again, I probably wouldn't use threading for it.

Re: Cassiopeia E100

[thegnu]

You forgot... "c) Take over the world!"

I would need the E105 for that. 16MB of memory is just not enough in practical application. ;-)

was covered already ... in 2003!

9 July 2003: this link

http://mobility.newsforge.com/article.pl?sid=03/ 07 /08/0043259 ... and Slashdot itself covered AirTraf and the commercial instantiation with hardware appliance, by Elixar, Inc. (now defunct) but AirTraf is still GNU.

Move along. These are not the droids you seek. They can only remember what they know in the past 6 months. Maybe.

Uhm dude... that's not a sniffer...

[B747SP]

A quick rtfa tells me that this isn't a sniffer at all, it's just a perl script that parses the plain-text output from someone elses sniffer. Sorry, no donut. NEXT!

What's up with tcpdump and friends, snort, kismet, bsd-airtools and ethereal anyway?

Hmm 93% the problem.

Packet sniffing linux is not build to do it by default.

7% loss is normal even for comerical on high speed cards. Some packets never make it threw a network due to outside causes ie interferance.

100% can be achived but takes a very special setup.

A system that is good a Packet sniffing also has the bad habit of being effected by network traffic that is not going to it.

Ie the problem is that network drivers drop alot the linux firewall drops more. Ie invalid/not required data is droped 64 and 512 not very often contain data so linux drops them ie 64 is ideal for a DOS attack small and can send lots of them quickly.

Note the computer size and type effects the scanning most cases a amd64 with a kernel build for amd64 handles network sniff ok.

Kismet and Wardriving

[drewzhrodague]

Kismet is an excellent wardriving tool for Linux, which will even run on your PDA.

For those of us interested in maps of what wardrivers have found in your neighborhood, check out WiFiMaps.com.

OpenWRT

Or use www.openwrt.org which is free and much more versatile and powerful.

Re:OpenWRT

I looked at OpenWRT and decided I didn't have a week to waste setting it up. I want a full featured firmware I can flash and configure. I don't want an empty firmware the doesn't even come with ssh functioning.

Egress filtering

[teknickle]

Outbound traffic is called 'egress filtering' (yes, you need to know that so that you know what to google for ;) )

And yes, it is possible through the iptables stateful firewall (older version used ipchains).

If you don't like managing your firewall rules by hand, there are plenty of perl scripts (bash shell scripts can be klunky and slow) to manage this for you.

This is also one method to add the myriad of anti-peer-to-peer addresses that keep growing day by day.

I love IPCop, and not just because Phil is a heck-of-a-nice guy. It has great features and the blue interface for wireless is great.

Good luck, you'll need it!

[Mr2cents]

If you come across my access point, I'll give you an IP-address (I'm a friendly person), and that's where it will end. The server end is completely firewalled, except for port 1194 running openVPN.

Only if you have a certificate signed by me, you will get a tunneled IP-address allowing you to access to both the internal LAN and the internet (and the server itself).

IBM

[thegnu]

My brother learned a lot about the development of the Internet at a "Point and Click Linux" seminar. It turns out that IBM has given birth to many huge advances by donating time and material again and again. I don't have the specifics, but the information is out there.

And now they're releasing 500 patents under open licensing. I love IBM.

packet library/RTOS the issue, not closed vs open

[SgtChaireBourne]

The paper the AC pointed to, Improving Passive Packet Capture: Beyond Device Polling, seems to indicate that the problem is with the performance of tools like libpcap at high speeds and /or that a real time system is needed, not the open vs closed situation that the AC painted in the parent post.

Yes, a specialized kernel is needed. Yes, some other kernels, maybe QNX, might be better than plain vanilla BSD or Linux kernel. Yes, MS Windows isn't even anywhere remotely close to supporting this kind of technology. But...

...as with any other activity, the packet loss will be reduced or go away by tuning your software (in this case the kernel) to the task at hand. That includes choosing libpcap, netfilter, or something else. However, for low and medium speeds BSD/Linux do a good job.

Eeeww!

He wants to sniff some open sores.

How about an open source T1 sniffer

[KayEyeDoubleDee]

Anyone know how to go about building one of these?

Do a google search on 'PRI Tester' and you'll find dozens of hand held devices that run about $3K. I'd like a laptop with a ISDN PCMCIA card running just a simple stack to sniff what the other end is transmitting.

Yeah, yeah, yeah, I'll look around on my own.