sniff T1 wan interfaces
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: sniff T1 wan interfaces

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    sniff T1 wan interfaces

    I have had the need to sniff a WAN interface that is connected to a T1.

    Is this possible? If so, how?
    The cable is not regular rj45... or I'd just put a hub on there.

    The reason I want to sniff it is because I can't see the traffic going through the router by logging into the router. All I can see is stats.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    easy. You need a sniffer with a wan interface . what is the wan interface? m34, fiber, what?

    On the other hand, is the "wan cable" connected directly to the router?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    You could always look into some sort of vampire for the T1 link (depending on the cable type)...

    There's a fairly well written buyers guide on WAN Analyzers and Probes @ http://www.nwc.com/1119/1119buyers2.html

    If you have some money to through around, you may want to consider a Fluke Networks Product from their WAN Analysis pages - http://www.flukenetworks.com/us/Solu...g/Overview.htm

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    224
    Is this a point to point T1? Or is it a service T1?
    What kind of WAN interface are you using?
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    You could get a breakout box for the wan interface depending on what it is - it's probably V.35 going over to the telco's NIU. Need more info. Is it a CSU, NIU or combo box? If its a combo there won't be an V.35 interface. If you want to sniff the T1 wire pair, why? You would need some expensive equipment to break out the time slots and decode the B8ZS or similar protocol then know how it's set up configuration, ie Super Frame, Extented Super Frame and where the timing comes from. If you are troubleshooting have the telco company do it, it's a few key clicks for them. If its for security, it's pointless. The box is just a protocol converter and you may not even own it depending on who maintains it, you or the telco provider.

    Then you would have a leaning curve on using a protocol analyser and configuring it's interface. Cool stuff, but what is your objective?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Phish:

    I'm with Road here.... The technology outside that router is totally different from the technology we use inside. In order to see what's going on out there you need a Firebird or the newer, (yet suckier IMO), other boxes that I can't remember the name of. Even then all you are going to be able to see is 1's and 0's... there's no packets per se out there on the T1.....

    You won't be able to see what you think you will be able to, it isn't ethernet out there so there are no protocols to be decoded.... It's cute little electrical pulses, or the lack of them, that's moving your data... There's nothing to log.... Ethereal won't "get it"
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    224
    I agree with RoadClosed and Tigershark. Anything after the CSU/DSU hits your router will be data, anything between there and the Telco will be nothing but B8ZS ESF data. Crunched packets of +5/-5 Volt pulses. The tool that the Telco guys use is called a T-Bird. All that it does is loopback tests and framing verification. There is slight programming that can be made on the Telco end from the T-bird on your side, but this is minimal as well. If you want to monitor your traffic, it may be your best bet to get a Cisco Router with a built in CSU and the latest firmware and grab a copy of "Hardening Cisco Routers". Put a DMZ between your Router and your production network and for fun, put a honeypot on the DMZ (Unless you have a server for VPN access or Mail sitting on you DMZ). That is the most logical thing that comes to mind
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  8. #8
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Actually it's a T-bErd.

    They are expensive. You can actually break out the data on the t1 but it would be like looking at machine code versus C++. You can see what it's doing but not how or why or what the data actually is without some serious and tedius work and speculation.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    thats what I figured. I didn't think that there was going to be a way to sniff the wan interface.

    I have a CSU, but it is built into the router. The cable from the CSU goes out to the smart jack and to the CO. AFAIK.

    The router doesn't have the capability to monitor active traffic like you can do with a Cisco.
    I will be going to Cisco in the near future (within a couple of years) but that doesn't help me now.

    My objective is to view current traffic going through the router.
    I can sniff the LAN port, but that will only give me local traffic. That isn't going to do me any good.
    I'll have to find another way.

    Thanks again.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Hey Phish,

    In this case whatever is on the LAN port will exist on the T1 wan interface. Anything someone is tossing at you will apear on the LAN port. There is no way anyone would be able to send any kind of attack outside of someone disconnecting you at the DACCS in the switch room at your telco provider or using the control channel in extended superframe to change a setting. They just don't do that and if they did your T1 wouldn't work and several layers of technical support would know. This is level 1 of the OSI model, that is where CSU and DSU operate. Routers operate above that most of the time, even if the CSU is built in, it's seperate. There is a CSU and then a Router with and interface between them. What you want to do would be like monitoring the ultra audible (above hearing) modulated frequncy wave from a DSL line. Pointless. You care about what is reconstructed on the LAN interface.

    But if you really must.... That router HAS to have some management mechanism. Is there a serial port on it? They have to assign the LAN interface an IP address somehow. Or have you tried telneting into the LAN port and seeing if there is a way in to set up some kind of traps that can be captured? If not it is all done by ESF.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •