Printable View
I have had the need to sniff a WAN interface that is connected to a T1.
Is this possible? If so, how?
The cable is not regular rj45... or I'd just put a hub on there.
The reason I want to sniff it is because I can't see the traffic going through the router by logging into the router. All I can see is stats. :(
easy. You need a sniffer with a wan interface :) . what is the wan interface? m34, fiber, what?
On the other hand, is the "wan cable" connected directly to the router?
Hey Hey,
You could always look into some sort of vampire for the T1 link (depending on the cable type)...
There's a fairly well written buyers guide on WAN Analyzers and Probes @ http://www.nwc.com/1119/1119buyers2.html
If you have some money to through around, you may want to consider a Fluke Networks Product from their WAN Analysis pages - http://www.flukenetworks.com/us/Solu...g/Overview.htm
Peace,
HT
Is this a point to point T1? Or is it a service T1?
What kind of WAN interface are you using?
You could get a breakout box for the wan interface depending on what it is - it's probably V.35 going over to the telco's NIU. Need more info. Is it a CSU, NIU or combo box? If its a combo there won't be an V.35 interface. If you want to sniff the T1 wire pair, why? You would need some expensive equipment to break out the time slots and decode the B8ZS or similar protocol then know how it's set up configuration, ie Super Frame, Extented Super Frame and where the timing comes from. If you are troubleshooting have the telco company do it, it's a few key clicks for them. If its for security, it's pointless. The box is just a protocol converter and you may not even own it depending on who maintains it, you or the telco provider.
Then you would have a leaning curve on using a protocol analyser and configuring it's interface. Cool stuff, but what is your objective? :)
Phish:
I'm with Road here.... The technology outside that router is totally different from the technology we use inside. In order to see what's going on out there you need a Firebird or the newer, (yet suckier IMO), other boxes that I can't remember the name of. Even then all you are going to be able to see is 1's and 0's... there's no packets per se out there on the T1.....
You won't be able to see what you think you will be able to, it isn't ethernet out there so there are no protocols to be decoded.... It's cute little electrical pulses, or the lack of them, that's moving your data... There's nothing to log.... Ethereal won't "get it" ;)
I agree with RoadClosed and Tigershark. Anything after the CSU/DSU hits your router will be data, anything between there and the Telco will be nothing but B8ZS ESF data. Crunched packets of +5/-5 Volt pulses. The tool that the Telco guys use is called a T-Bird. All that it does is loopback tests and framing verification. There is slight programming that can be made on the Telco end from the T-bird on your side, but this is minimal as well. If you want to monitor your traffic, it may be your best bet to get a Cisco Router with a built in CSU and the latest firmware and grab a copy of "Hardening Cisco Routers". Put a DMZ between your Router and your production network and for fun, put a honeypot on the DMZ (Unless you have a server for VPN access or Mail sitting on you DMZ). That is the most logical thing that comes to mind
Actually it's a T-bErd. ;)
They are expensive. You can actually break out the data on the t1 but it would be like looking at machine code versus C++. You can see what it's doing but not how or why or what the data actually is without some serious and tedius work and speculation.
thats what I figured. I didn't think that there was going to be a way to sniff the wan interface.
I have a CSU, but it is built into the router. The cable from the CSU goes out to the smart jack and to the CO. AFAIK.
The router doesn't have the capability to monitor active traffic like you can do with a Cisco.
I will be going to Cisco in the near future (within a couple of years) but that doesn't help me now.
My objective is to view current traffic going through the router.
I can sniff the LAN port, but that will only give me local traffic. That isn't going to do me any good.
I'll have to find another way.
Thanks again.
Hey Phish,
In this case whatever is on the LAN port will exist on the T1 wan interface. Anything someone is tossing at you will apear on the LAN port. There is no way anyone would be able to send any kind of attack outside of someone disconnecting you at the DACCS in the switch room at your telco provider or using the control channel in extended superframe to change a setting. They just don't do that and if they did your T1 wouldn't work and several layers of technical support would know. This is level 1 of the OSI model, that is where CSU and DSU operate. Routers operate above that most of the time, even if the CSU is built in, it's seperate. There is a CSU and then a Router with and interface between them. What you want to do would be like monitoring the ultra audible (above hearing) modulated frequncy wave from a DSL line. Pointless. You care about what is reconstructed on the LAN interface.
But if you really must.... That router HAS to have some management mechanism. Is there a serial port on it? They have to assign the LAN interface an IP address somehow. Or have you tried telneting into the LAN port and seeing if there is a way in to set up some kind of traps that can be captured? If not it is all done by ESF.
Why does traffic from the WAN port HAVE to also show on the LAN port?
Take this scenario, which is a dumbed down version of what I'm looking for.
Main site
Remote site 1
Remote site 2
Remote site 3
If remote site 3 needs to get to main site, and it is not directly connected, then it must route through site 2 or site 1 to get to main site. So, if site 3 is routing through site 2 to get to main site, why would you see traffic on the LAN port of site 2? You'd only see that traffic on site 2's WAN port... correct?
The router does have a management console. There is every freaking option you can think of in there... except to show active connections. This is a motorola vanguard router. There are no books out there on vanguard routers. The manuals SUCK!
I can't wait till I'm working with Ciscos... I hate motorola with a passion.
I understanding what you are saying about listening to traffic on the outside of the CSU.
I kind of figured it'd be pointless... but I wasn't sure.
It doesn't.... If you apply ACL's at the router then traffic coming to the WAN port may be utterly different from the traffic passing over the LAN port..... You would have filtered out any crap that you didn't want to see.... Your problem is that you want to see things that your router may either drop because of ACL's or because it drops through protocol or whatever. Unless you can find a way to syslog, (or whatever), the debug(?) logs of the router then you will never know what is being directed at it..... But then, on the bright side, why would you care? Unless it exploits the router, which is rare and usually only results in a DoS which you should recognize fairly quickly ;), then there isn't that much of a problem. Exploiting the router for reasons other than DoS is extremely difficult and the results are pretty limited historically....Quote:
Why does traffic from the WAN port HAVE to also show on the LAN port?
DUDE! Me too. You have Vanguards? They were very cheap and many people used them when CISCO was high on the hog charging 10 times the ammount. I have 2 still in production. I hate having to do anything with them and good luck working out complicated issues do to lack of documentation. You could make a case that you are a risk from failure and swap them out. I have just been lazy. Although I have a CISCO to replace it I bought on ebay.Quote:
I hate motorola with a passion.
When I said any traffic on the T1 link would be on the LAN port I was thinking in terms that each T1 link had a seperate lan port. They are just a bridge really and anything that would be destined for Layer 2 would appear there on the LAN pport in terms of management. Tiger is correct that an ACL will filter traffic desitined to the LAN port. But you can access that LAN port and see what is on the WAN interface through the lan port... because it's already been converted to a higher level. But you wouldn't be able to sniff the actuall interface, just maybe a few errors or something?