<div dir="ltr">On Wed, Jan 23, 2013 at 8:08 AM, Ron Frazier (ALE) <span dir="ltr"><<a href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span> wrote:<br><div class="gmail_extra">
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi all,<br>
<br>
I appreciate all who've responded to this to shed a little light on it for me. It's very complex, and each answer seems to open up new questions. I guess I'll have to review the OSI model that I learned about years ago and look at some of the low level protocols.<br>
<br>
Tell me if the following are true. Assume I'm at my home network. Even though it's more complex than this, say I had one wifi router with 4 port switch connected to the cable modem. Suppose I wanted to run wireshark to monitor things. All PC's, tablets, dvr's, etc are attached via wifi. The printer is attached to the 4 port switch using a wire.<br>
<br>
* If I attach my laptop to the switch with a wire and run wireshark, I would see only the traffic to / from my pc's ip address and nothing else, except for broadcast traffic like ARP, etc, and then only what the switch is programmed to forward. I would not, for example, see traffic destined for the printer unless I'm sending it.<br>
</blockquote><div><br></div><div style>It's actually all traffic destined to your PC's MAC address and the broadcast MAC (FF:FF:FF:FF:FF:FF). Switches are Layer 2 devices, they don't know about IP. (Yes, some devices are branded as "Layer 3 switches", but it's unlikely that you have one of those in your house.)</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
* If my laptop is attached via wifi, then wireshark will see everything ANY PC on the same wifi ssid is sending or receiving, including traffic to / from the printer or to / from the internet.<br></blockquote><div><br></div>
<div style>Yes, but it's not straightforward. With WEP or unecrypted wifi, it's just as easy as running Wireshark -- all packets are visible to all clients. With WPA-PSK, there's a per-client, per-session key, but if you have the PSK, you can derive the client and session keys *IF* you captured the handshake: <a href="http://wiki.wireshark.org/HowToDecrypt802.11">http://wiki.wireshark.org/HowToDecrypt802.11</a> With WPA Enterprise (802.1x) the keys are derived more securely, and you'd need access to the keystore to decrypt other client's packets.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
* The only way to monitor everything on the network would be to attach a HUB to the cable modem, attach wireshark to the hub with a wire, then attach the wifi router to another port on the hub. But, no, then I'd only see traffic to / from the internet. Traffic routed solely by the wifi router, between devices, or to the printer, would not be seen. Also, the PC would be directly exposed to the internet and would be in potential danger.<br>
</blockquote><div><br></div><div style>You could also use a PC with 2 NICs in bridging mode, but you still need to be between the two machines whose traffic you want to see. If you have a nice router (or use something like OpenWRT/DD-WRT) you might be able to put one NIC port into "mirror" or "monitor" mode where the switch copies all packets to that port. Something like this works: <a href="http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/">http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/</a> (Actually uses iptables rather than the built-in switch, but the concept is the same.)</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
* What I'm getting from the prior discussion about firewalls is that, if any packets come into the NIC, and it triggers an interrupt presumably, then certain parts of the system software, the tcp/ip stack, are triggered to deal with the packet even if it's a low level protocol like ARP. Higher level software in the system, like the firewall, doesn't even see it, and can't filter it. However, vulnerabilities may exist even at that low level that could allow the PC to be compromised.<br>
</blockquote><div><br></div><div style>Yes, every packet not dropped by the NIC will be processed in some fashion, generally by at least the Ethernet/Wifi stack and the firewall code itself.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
* Regarding what Windows or Mac does, you COULD disassemble the executables in the networking stack to see what happens, although it would be incredibly tedious and complicated and time consuming to do so.<br>
<br>
By the way, I think it's a stretch to say no Windows PC is safe (enough) on the internet. Even if 1/3 are infected, as stated on the Going Linux podcast, which is truly horrible if true, then the other 2/3 are not infected, which amounts to about 700 million users. And, most of those are probably not even configured properly for maximum safety.<br>
<br>
I do all the following on my PC's, whether Windows or Linux as applicable. I think I'm fairly safe. I'm sure I could always do better. If you think I'm missing something critical, let me know. I will admit that very few users have done all these things, thus, they are more vulnerable.<br>
<br><snip><br>
<br>
Well, that's all I can think of at the moment. Hopefully, that's enough. Did someone say I wasn't paranoid enough.<br>
<br>
I'm more concerned when I'm in a restaurant or something, since I don't have control over their router. I'm sure there is a nat firewall. However, I'm still on the same lan as everyone else on the wifi. The only thing I know to do there, other than what I've already done to the pc, is to crank up hotspot vpn, which I have a subscription to. At the moment, I know how to do that in Windows, but not in Linux.<br>
<br>
It would be interesting to know if the wifi nic responds to any local lan traffic once the vpn is up.<br></blockquote><div><br></div><div style>Sure it will. It will still process packets. After all, it doesn't "know" anything about a VPN.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Sincerely,<br>
<br>
Ron</blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>