HOWTO: inline ethernet tap

OnesanOnesan Acolyte
edited July 2010 in Tech & Games
This is something i built and wrote a long time ago, for a different community that while parts of it took off, other parts of said community never really seemed to get around to doing much, then i got sucked into irl and we lost touch, i figure wtf a textfile is a textfile, hopefully it did the original community good and hopefully it does good. (also fuck, who punched a hole in the fabric of time and transported me to the mid naughties? major nostalgia)

if you dont like my (admitedly at the time drunk and filled with minor spelling errors) style of writing, tough shit and fuck you <3

** Crappy howto text file for whereever it may end up, written and directed by Onesan **
Layer two bridges, fun for all.

What is a layer two bridge?
According to wikipedos a layer two bridge is

A network bridge that connects multiple network segments at the data link layer (Layer 2) of the OSI model,
and the term Layer 2 switch is very often used interchangeably with bridge.
Bridges are similar to repeaters or network hubs, devices that connect network segments at the physical layer;
however, with bridging, traffic from one network is managed rather than simply rebroadcast to
adjacent network segments.
In Ethernet networks, the term "bridge" formally means a device that
behaves according to the IEEE 802.1D standard?this is most often referred to as a network switch in marketing
literature.[citation needed]

^Gee, thats really informative, yea right, i thought it sucked as well.

Well a layer 2 bridge for our purposes is a pc with two or more ethernet cards and a small to large hard drive, and
at least 256 mb of ram or 512 if you wish to run a graphical user interface like gnome, i suggest using gnome and
having a graphics card myself, tcpdump over ssh just isnt as pretty or intuitive to look at in real time :)

Very basic hardware list.
somewhat modern motherboard (case optional)
256 megs of ram
three network interfaces, two are for the bridge, one to log into remotely.
no keyboard or mouse
headless setup, no screen or even a graphic card if it isnt built in.

Optimal hardware list (like my setup)
Reasonably modern amd xp 1800 based motherboard (anything more powerful is just overkill for our purposes)
512 megs of ram or more, ideally a gig, any more is a waste.
three network interfaces, two for the transparent bridge, the third is for remote administration, updates and whatnot.
at least one monitor, preferably two attached dual head'ed ^_^
A kvm switch so you can switch keyboard and mouse control between your desktop and bridge machine, much nicer than
multiple keyboards on your desk

Optional, a loud stereo and a hour or more of your favorite musics.

Ok so presumably you have all the hardware sitting before you and are wondering,
"sweet i got a text file and a bunch of hardware, what do i do now"

well first before we get to installing any os we check out the network cards your using, ideally you have a
motherboard that has one built in network card, if so this is excellent, this will be your
remote administration, updating and general purpose network card.

Now my advice is to install the os before adding your other two network cards, that way you know eth0
is the built in one, and the two pci network cards are your network tap you stick inbetween two pieces of
network hardware to invisibly spy on what is transpiring there, this is useful to both get
free semi private proxies that come to you rather than you find them, and to spy on any windows machines you
own that you are sure are infected with a bot.

But more on that later, lets get to making your layer two box.

My advice is to use RHEL5 or CentOS5 for your os, you can chose whatever os you want but its what i use and this
file will reflect that, while this should also apply to most nix based oses, location of configuration files and
other subtle nuisances like that will probably differ.

So lets download centos5 for whatever arch your machine is, if your using cheap stuff for something
like this it probably isnt 64 bit but whatever
select a mirror and download, or download the torrent file and torrent it, whatever your in the mood for.

Now im not going to bother to explain how to install rhel/centos, its so piss easy and simple these days that if you
cant do it this text file is well beyond your abilities, the only cautions im offering is if theres anything on the
hard disk you want, back it up cause we are doing a destructive format and giving the whole hdd to centos,
no dual booting, if you can set up a dual boot system,
well you probably wasted your time reading these last three lines :D

When it comes up to selecting partitioning, chose remove all partitions and start fresh

Apart from that, the only remaining caution is about how your network is set up, ideally your network is set up with
static ip addressing. This is not a requirement, ive just never been fond of networks arbitrarily changing machines
ip addresses, on larger networks it makes sense but isnt really required on a small 2 to 20 machine home network imo.

Ok so you have successfully installed rhel or centos and have logged into it as your everyday user, your sitting on
a rather bland bleak blue desktop, what now? well first lets open a terminal, after all theres probably
minor security updates and general improvements since the isos you downloaded were made.
[user@Spaibox ~]$
Now lets power up to the god user
[user@Spaibox ~]$ su -
Password: your very strong root password you set up during install, you wouldnt want someone with a trojan
on your windows gaming box to relay into your internal network and manage to crack this box and have
access to ALL YOUR UNENCRYPTED TRAFFIC, and detailed timing info on your encrypted stuff now would you? XD
[root@Spaibox ~]#
Ok so now your god, lets update everything installed on your box, since its going to be used for traffic monitoring
and interception,

[root@Spaibox ~]# yum update
Loading "installonlyn" plugin
Setting up Update Process
Setting up repositories
extras 100% |=========================| 1.1 kB 00:00
updates 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
Reading repository metadata in from local files
primary.xml.gz 100% |=========================| 288 kB 00:02
################################################## 430/430
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package chkconfig.i386 0: set to be updated
---> Package NetworkManager-gnome.i386 1:0.7.0-4.el5_3 set to be updated
---> Package gnome-screensaver.i386 0:2.16.1-8.el5 set to be updated
--> Running transaction check
--> Processing Dependency: for package: totem
--> Processing Dependency: for package: dhcdbd
--> Processing Dependency: for package: gnome-utils
--> Processing Dependency: redhat-artwork >= 5.0.4-1 for package: gdm
--> Processing Dependency: xulrunner >= for package: firefox
Dependencies Resolved


  • OnesanOnesan Acolyte
    edited July 2010
    Package Arch Version Repository Size
    dhcpv6-client i386 1.0.10-16.el5 base 123 k
    replacing dhcpv6_client.i386 0.10-33.el5

    kernel i686 2.6.18-128.4.1.el5 updates 15 M
    kernel-devel i686 2.6.18-128.4.1.el5 updates 4.9 M
    libhugetlbfs i386 1.3-3.el5 base 35 k
    replacing libhugetlbfs-lib.i386 1.0.1-1.el5

    Deployment_Guide-en-US noarch 5.2-11.el5.centos base 3.5 M
    ImageMagick i386 base 3.3 M
    NetworkManager i386 1:0.7.0-4.el5_3 updates 1.0 M
    NetworkManager-glib i386 1:0.7.0-4.el5_3 updates 80 k
    NetworkManager-gnome i386 1:0.7.0-4.el5_3 updates 340 k
    ORBit2 i386 2.14.3-5.el5 base 252 k
    OpenIPMI i386 2.0.6-11.el5 base 136 k
    tcpdump i386 14:3.9.4-14.el5 base 450 k
    traceroute i386 3:2.0.1-5.el5 base 40 k
    tzdata noarch 2009i-2.el5 updates 783 k
    udev i386 095-14.20.el5_3 updates 2.3 M
    unzip i386 5.52-3.el5 base 156 k
    usermode i386 1.88-3.el5.2 base 155 k
    usermode-gtk i386 1.88-3.el5.2 base 107 k
    util-linux i386 2.13-0.50.el5 base 1.8 M
    vim-common i386 2:7.0.109-4.el5_2.4z base 6.5 M
    vim-enhanced i386 2:7.0.109-4.el5_2.4z base 1.3 M
    vim-minimal i386 2:7.0.109-4.el5_2.4z base 314 k
    yum-updatesd noarch 1:0.9-2.el5 base 22 k
    zip i386 2.31-2.el5 base 127 k
    Installing for dependencies:
    avahi-compat-libdns_sd i386 0.6.16-1.el5_2.1 updates 22 k
    dbus-libs i386 1.1.2-12.el5 base 123 k
    device-mapper-event i386 1.02.28-2.el5 base 19 k
    dnsmasq i386 2.45-1.el5_2.1 base 165 k
    fipscheck i386 1.0.3-1.el5 base 11 k
    libselinux-utils i386 1.33.4-5.1.el5 base 54 k
    nspr-devel i386 4.7.4-1.el5_3.1 updates 112 k
    nss-devel i386 updates 228 k
    python-iniparse noarch 0.2.3-4.el5 base 34 k
    redhat-artwork i386 5.1.0-28.el5.centos base 6.1 M
    setroubleshoot-plugins noarch 2.0.4-2.el5 base 329 k
    setroubleshoot-server noarch 2.0.5-3.el5 base 1.2 M
    tk i386 8.4.13-5.el5_1.1 base 888 k
    xulrunner i386 updates 10 M
    yum-fastestmirror noarch 1.1.16-13.el5.centos base 18 k

    Transaction Summary
    Install 19 Package(s)
    Update 362 Package(s)
    Remove 0 Package(s)

    Total download size: 420 M
    Is this ok [y/N]:Y

    This will update your machine and bring everything current then drop you at your root console, YAY YOU ~_^
    So now your up to date, what else do we need, the first thing we should do is get wireshark, since everything is
    up to date and yum has finished installing everything and exit'ed we should install wireshark if it wasnt
    already installed, we can do this with yum easy.

    [root@Spaibox ~]# yum install wireshark

    this will go and locate wireshark in your online repos and offer to install it for you, dont worry if wiresharks
    already installed on your machine, yum is smart enough to realise if wiresharks already on your machine and your
    asking to install it that you probably only want to update it and offer to update it to the latest version in your
    repos, we probably want wireshark, its much prettier than tcpdump and if you have a screen attached its definatly
    preferable, of course if your using a headless machine, you can always copy tcpdumps network capture files over
    the network to your desktop and open it in wireshark there.

    [root@Spaibox ~]# yum install bridge-utils
    And once again accept the install.

    Now your box is up to date, current and has wireshark and bridge utils on it, excellent, we have just finished
    laying the foundations, now is the time to do the real work.

    First shutdown your machine (top panel, system, shutdown) have a smoke and make a coffee whatever,
    take a small break, if you have done all this work so far without a break, you deserve it ;)

    Ok so now we need to find out the mac addresses of the two network cards, finding out this is easy,
    since you followed my instructions to keep the network cards outside the box we are building, examine the outside
    of the card to see if its got a mac address printed on the card itself, if not check the box they came in,
    it should be in there, if theres no mac address on the cards, and you just grabbed them out of the pile of parts
    like i did thats alright, we can get them later.

    you did record your built in network cards mac address, you did do that didnt you? if not i suggest you do so now.

    [root@Spaibox ~]# ifconfig -a
    write down eth0's HWADDR value, its the mac address.

    Box is powered down, you have finished your smoke and coffee, or at least your coffee, motherboards and coffee dont
    mix, ive learnt this the hard way D:<

    Take your screwdriver and install your network cards i shouldnt need to tell you how to do something as basic as
    installing a network card but now is a good opportunity to clean the filthy cake of dust out of the cpu cooler and
    general dirt removal.

    Once they are installed, power it up, first test is simple, if immediately after powerup theres a cloud of
    blue smoke or arc welding noises being emitted by your almost finished layer two bridge, immediately power it down,
    and return to the start of this text file with new hardware, or become an hero ;_;

    So you passed the first test, theres no fires to fight and its booting up, excellent, one of the reasons i suggested
    centos/rhel is it comes with kudzu.
    Kudzu is a automatic hardware detection and installation program, this means that all hardware that is supported by
    your machine will have its device drivers automatically loaded and configured, including the cards you just
    installed, which is nice >:D

    Now log in, either by ssh if its headless or the desktop, open a terminal if your logging in with the desktop,
    and issue this command.
    [root@Spaibox ~]# ifconfig -a
    the results should look SOMETHING like this

    br0 Link encap:Ethernet HWaddr 00:E0:4C:0A:9F:BA
    inet6 addr: fe80::2e0:4cff:fe0a:9fba/64 Scope:Link
    RX packets:40351224 errors:0 dropped:0 overruns:0 frame:0
    TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2055632543 (1.9 GiB) TX bytes:4336 (4.2 KiB)

    eth0 Link encap:Ethernet HWaddr 00:07:95:D4:9E:1F
    inet addr: Bcast: Mask:
    inet6 addr: fe80::207:95ff:fed4:9e1f/64 Scope:Link
    RX packets:43508376 errors:0 dropped:0 overruns:0 frame:0
    TX packets:50654966 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:3014198518 (2.8 GiB) TX bytes:1557144468 (1.4 GiB)
    Interrupt:5 Base address:0xad00

    eth1 Link encap:Ethernet HWaddr 00:E0:4C:0A:9F:BA
    inet6 addr: fe80::2e0:4cff:fe0a:9fba/64 Scope:Link
    RX packets:474714334 errors:27 dropped:116 overruns:17 frame:0
    TX packets:448980647 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:975061627 (929.8 MiB) TX bytes:3833664357 (3.5 GiB)
    Interrupt:5 Base address:0xf00

    eth2 Link encap:Ethernet HWaddr 00:E0:4C:13:43:A5
    inet6 addr: fe80::2e0:4cff:fe13:43a5/64 Scope:Link
    RX packets:448983057 errors:82 dropped:336 overruns:37 frame:0
    TX packets:474714033 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:3833805641 (3.5 GiB) TX bytes:975019177 (929.8 MiB)
    Interrupt:11 Base address:0x2e00

    lo Link encap:Local Loopback
    inet addr: Mask:
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:3116 errors:0 dropped:0 overruns:0 frame:0
    TX packets:3116 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2957444 (2.8 MiB) TX bytes:2957444 (2.8 MiB)

    sit0 Link encap:IPv6-in-IPv4
    NOARP MTU:1480 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
  • OnesanOnesan Acolyte
    edited July 2010
    Now eth0 is your built in network card from earlier(or a addon), it should have the ip address you assigned it at
    install if your using static addressing, now your eth1 and 2 are the two cards we are making into a bridge,
    ignore br0, thats my bridge and you dont have a bridge set up, yet ^_^

    Obviously the important things to take note of are eth1 and eth2's mac addresses, identified here as HWaddr
    eth1 HWaddr 00:E0:4C:0A:9F:BA
    eth2 HWaddr 00:E0:4C:13:43:A5
    we want to take note of what cards mac address is what, cause thats what we need to use to configure the individual

    So we recorded the stuff we need, lets configure the network scripts so our network cards are configured to run as
    part of a bridge instead of normal network cards, And since we dont want to have to reconfigure every card manually
    every time we boot the machine up, lets set it as the default behaviour.

    [root@Spaibox ~]# cd /etc/sysconfig/network-scripts

    [root@Spaibox network-scripts]# vi ifcfg-eth1
    Ok first a tiny shitty introduction to the text editor vi, if you have ever had the misfortune to use the
    traditional vi text editor you will be pleased to know vi on rhel/centos5 is not actually vi, its vim,
    a considerably more pleasant beast to deal with than that usable but horrible vim.

    Once you open vim on that file you scroll the cursor down to the end of the file, now press "i" on your keyboard,
    the bottom of the terminal you have open will suddenly say "-- INSERT --" this means you now can now insert and
    delete text, press end to go to the end of the file and hold down backspace till you have DELETED EVERYTHING in the
    text file, except maybe the header of the file saying

    # Reallulz spics and jews Co., Ltd. WTC-911/9119C
    or whatever your card manufacturer is and type of card. it shouldnt really be needed but you might as well leave it
    there so you know what card its referring to if you ever use the box for something else and you havnt played with
    the network config for a few months, in multiple network carded boxes it helps a little.

    ok so everythings gone but the header, under that, add the following so the file looks like this
    # Reallulz spics and jews Co., Ltd. WTC-911/9119C
    HWADDR=00:E0:4C:0A:9F:BA Eth1'sMacAddressYouRecordedEarlierGoesthere

    Now your cursor is sitting after ONBOOT=yes, you press escape and the -- INSERT -- will disappear good, review it,
    if everything looks good lets save it press and hold down shift, and press ":", : will appear at the bottom of the
    terminal type "wq" meaning Write then Quit, your file will be saved then it will quit and drop out to the terminal,
    open ifcfg-eth2 in vi like earlier and repeat the above substituting DEVICE and HWADDR for the correct device and
    mac address for eth2.

    Your network cards are now configured for bridging but your system isnt using the new settings yet,
    so either shutdown, or, service network reload to reload your network configs.

    Excellent we are getting very close to the fun stuff, time to make the actual bridge interface.
    [root@Spaibox ~]# brctl addbr br0
    That will make the bridge interface, so lets actually make the bridge useful, lets add the cards to them
    [root@Spaibox ~]# brctl addif br0 eth1
    [root@Spaibox ~]# brctl addif br0 eth2
    so now the cards are in bridging mode, and are actually assigned to the bridge, lets bring up the bridge interface
    [root@Spaibox ~]# ifconfig br0 up
    Fuck yea, the cards are configured and assigned to a bridge, now all packets going into one network card are
    transparently sent out the other card :D
    One caution, if something strange is happenning, and nothing seems to work, MAKE SURE IPTABLES IS TURNED OFF,
    the netfilter/iptables firewall seems to royally fuck up bridges, if you have followed everything correctly and
    everything is set up and running and nothing seems to get thru the bridge thats probably whats gone wrong.

    [root@Spaibox ~]# service iptables stop
    [root@Spaibox ~]# service iptables status
    iptables: Firewall is not running.
    [root@Spaibox ~]#

    Fine so now it works, lets make the bridge permanent and so it comes up every time the box is booted up.
    [root@Spaibox ~]# cd /etc/sysconfig/network-scripts
    [root@Spaibox network-scripts]# vi ifcfg-br0
    DELETE EVERYTHING and fill it with the following details


    Now your network will bring the bridge interface up on boot, which is handy, altho sometimes ive noticed when you
    boot it up, it can be slow to actually bring up the interface, so i usually ssh in or open a terminal and issue the
    command to bring it up manually
    [root@Spaibox ~]# ifconfig br0 up

    Now everything should be working fine, if you want a firewall or filtering functions on your bridge interface,
    may i suggest ebtables.
    Ebtables is specifically designed to work on a bridge, iptables isnt, every time i use iptables i manage to break my
    bridge, and boom goes the internet.
    I cant personally vouch for ebtables cause i dont use any firewall on my bridge, i use it for detection and after
    the fact security, as well as a source of unlimited semi private proxies/potential small scale botnet building tool,
    bandwidth monitoring and real time traffic analysis among other things, but that will be for another text file

    Oh what the hell, fire up wireshark, tell it to sniff the bridge interface in promiscous mode using a capture filter
    like "port 445" without quotes, ms08_067_netapi is your friend, use it.

    Oh and for the love of god, a capture filter and a display filter is not the same thing, make sure its a
    capture filter unless you want your hard drive to be filled up with all your network traffic,
    X11 to become unresponsive and have to find out why the internet died and eventually realise you need to
    hard restart the box because you managed to lock it up or grind it down to such a unresponsive state that it
    takes forever to reboot.

    ^Yes i am speaking from personal experience there ^_^
  • OnesanOnesan Acolyte
    edited July 2010
    Holy fucking combo, 10000chars a post is not enough D:

    EDIT, looking over that, i see a few minor errors "not actually vi, its vim,a considerably more pleasant beast to deal with than that usable but horrible vim"
    a few incorrect assumptions (br0 probably coming up before eth1 and 2 failing, making me have to bring it up manually etc), a slightly incriminating handle
    (not that it could ever be linked back to me conclusively, fuckit byebye handle), and a few other flaws.
    meh fuck rewriting it, oh well it still worked to perform this threads intended function, a howto
  • SpookSpook Regular
    edited July 2010
    Epic win all round.

    You've got a pretty good writing style, this was really easy to follow. Do some more perhaps ?
  • edited July 2010
    Wow, that sure was a lenthy but awesome guide! Well written, thanks.
Sign In or Register to comment.