I just thought I'd point out that it is possible to get SEQ working with a switch if you know what you are doing. Ie using arpspoof (http://www.google.com/search?q=arpspoof) from the dsniff (http://www.google.com/search?q=dsniff) package

You'll probably want something like this:
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -t 192.168.0.1 192.168.0.10 2>/dev/null &
arpspoof -t 192.168.0.10 192.168.0.1 2>/dev/null &

This is assuming you have a gateway box (doing NAT) [192.168.0.1] and a PC behind the gateway that you play EQ on [192.168.0.10]

When your done sniffing you'll want to do:
killall arpspoof

If you can't figure out how to do this from what I've just said then forget about it and go buy a hub.

So, in this setup you are running SEQ on your "Gateway" box?

I was confused here too.. if ShowEQ is your your gateway, you dont need to do any of this. If it isnt, then this is a really complex solution to a simple problem..

--Jeeves

Hmmm, this is from the first google hit from the "arpspoof" search.


What we do is the following: We constantly send the victim computer ARP answers telling him that the MAC address belonging to the IP of the gateway machine (router) is our MAC address. After some time the victim computer will believe us and makes a wrong entry in his ARP cache. Next time the victim wants to send an IP packet to the gateway he sends the ethernet frame to our MAC address so actually we get the IP packet. We do the same thing with the gateway machine just the other way round.

I'm more of a Unix guy than a networking guy, but this doesn't sound all that desirable to me. I'm not doubting that it works, it just doesn't seem like a preferable method. I'd like to hear what some other people think though...this topic interests me.

I'm gonna say there has to be a 3rd machine involved in this, that being the box you run the commands on and run SEQ on.

MY GOD! I have never seen so many different posts about a $10 problem!!!

You know, if those of you out there can't understand that the SIMPLEST solution to this is to go buy a ten dollar hub then I don't know how anyone else here is really going to help.

I mean, how many different ways does it need to be said that SEQ WORKS BEST with a HUB. Yes, there are other ways to make it work. No one is doubting that, but remember people, YOUR DEALING WITH PEOPLE WHO CAN'T EVEN UNDERSTAND THE CONCEPT OF USING A HUB AND NOT A SWITCH!

**Sigh**

The easiest answer: Go buy a $10 hub... that's all, go get a cheap hub

a cheap hub, keep repeating it, a cheep hub... hub hub hub hub hub

I know I went a little over the edge here, but come on, go buy a hub. You'll be a lot happier when it works because you bought a cheap hub.

Oh, did I mention that you can buy a cheap hub?

So, to sum up:
Hub = Good
Switch = Complex Configuration (usually bad for SEQ)


(Boy, let the flaming begin! :) ) /rant off

/em mumbles quietly in a corner, hub hub hub hub hub hub hub hub hub hub

So RavenCT, like one of those linksys hubs? Or perhaps a switching hub...

::snickers to himself::

--Jeeves

I just had to close the door to my office to finish reading Raven's post. Thanks for the laugh. :p

FYI, my post saying I was interested in that utility was purely intellectual curiosity, not for Seq's sake in any way.

*guards what he would like to think is a decent rep here* Hehe.

/em cackles evilly over a smoldering pile of Linksys "hub/switch/routers" :D

Hell, I just had to do it! Some times we all need to blow off a little steam in good fun! He he he


"there coming to take me away he he ho ho ha ha, to the happy home, with trees and flowers and chirping birds and basket weavers who sit and smile and twiddle there thumbs and toes and there coming to take me away ha ha"

Theres no such thing as a 10/100 hub is there? I had to use my ancient hub I think it runs at 1mb. The new nifty switch doesn't work I figured that out by myself actally. But other than running seq , netscape and fake instant messager I know nothing about linux so wasn't going to bother with trying to use the switch. The local computer store and bestbuy don't even carry hubs any longer.

Bestbuy carries plently of hubs... my hub is a 10/100 hub, and i bought it at bestbuy.. just make sure it isnt labeled as a "switching hub" or any linksys device (they are switching, even if they dont say so).

--Jeeves

FYI, my post saying I was interested in that utility was purely intellectual curiosity, not for Seq's sake in any way

ARP is used to translate between ip addresses and hardware addresses. Just like IP has no concept of names and needs the DNS system to translate them to IP addresses, ethernet has no concept of IP. To get an IP datagram from host A to host B, over ethernet, basically means the IP datagram gets stuffed into an ethernet frame, and that frame is sent to another ethernet host. To get to the other ethernet host, it needs a MAC address, and this is where ARP comes in. the originating host broadcasts out onto the ethernet "arp who-has x.x.x.x tell me". If any host on the ethernet thinks he has the ip adress x.x.x.x, then he will respond with "arp reply x.x.x.x is-at y:y:y:y:y:y". Now the sending host records this in its arp cache so it wont need to re-look this up until the cache data expires. The ethernet address from the arp reply is used as the destination address in the ethernet frame, and the frame is sent off on its way. The recieving host(s) look at this frame as it come in, and check the destination MAC. If its thier mac, they strip the ethernet frame off and pass the datagram to the appropriate higher level protocol stack, if its not thier MAC, they silently ignore the packet (except in case of a promiscious interface, then all recieved packets are looked at).

What arp spoofing or poisoning does, is a modified gratuitous ARP. What this is, for example, take an ethernet host 00:11:22:33:44:55 with an ip of 10.0.0.2. When it comes up, it may broadcast "arp who has 10.0.0.2 tell 10.0.0.2", and then immediatly reply with a broadcast of "arp reply 10.0.0.2 is at 00:11:22:33:44:55". This may look pointless, but now every host that can see ethernet broadcasts as recorded the association of 10.0.0.2 and 00:11:22:33:44:55 into its ARP cache. Some implementations of ARP may not even require a "who-has" being sent to honor a "reply", and in that case, you can just form an arp reply to your liking and send it.

now how does this all work in reality? consider this setup. Host A and B want to talk, and there is host R between them routing between thier networks.

Host A says, "ping B". Now host A's name resolution layer asks for a name lookup for B, and retrieved an IP address. It forms an ICMP packet, plugs in the IP address it found, sets itself to be an echo request, etc. Then ping sends its packet down to the kernel. The kernel through its routing table knows that B's net is not locally connected, but accessed through its next-hop gateway R, so this is who the packet will be sent to. Host A says "arp who-has host R's ip" and host R replies with its MAC. Now host A forms an ethernet frame, with host R's MAC as the destination and sends in on the ethernet.

Host R sees this incoming frame, and looks at the frames payload, and notices its IP, so it looks to the IP destination address. It sees this IP and knows this address is on one of its locally connected interfaces (routing table at work again) and so on that interface it says "arp who-has Host B's ip". Host B replies and a new ethernet frame from host R's mac to Host B's mac is formed and sent on the wire. Host R also decrements the IP packets TTL field, if TTL is 0, host R discards the packet.

Host B sees the frame, notices its addressed to iteself, strips the ethernet frame and sends the IP datagram to the IP layer. The kernel notes its an ICMP echo request, and forms an icmp echo reply back to host A and sends it back.

Now assume there is a host C on B's local net, and it wants to hijack traffic. It sends a poisoned ARP packet to host R advertising its IP to MAC correlation. Host R records this in its cache, now when the ping packet gets to R, before any ARP is sent, it consults the cache. It gets a cache hit, and the MAC address it thinks of host B is used to send the frame, but really, host C is getting the traffic.

hope that helped satisfy/fuel your curiosity on the subject. :)

/gratuitous flame retardent on "I totally agree with the whole simple is better as well" ... But ...

It is an interesting networking tidbit :) . If you, for some reason, don't have the option of using a hub, Arp Spoofing would work just dandy. Assuming, of course, your SEQ machine can handle becoming the defacto router for the EQ machine. That shouldn't be much of an issue with a decent SEQ setup in a home environment.

Thanks for the excellent explanation, casey. I think I had most of it figured out from the other pages I read on the subject, but you filled in the holes. I think the only thing I didn't understand was how the intercepting host knew to forward the packet on. In your example, host B (eq machine) sends its packets to host C (seq machine), thinking it's host R (your router/switch). Host C knows that the packet is destined for R, so it forwards it along...meanwhile you have looked at it. I think I have all of that correct.

I guess the next logical thought would be: would the packet be altered in a way that you could tell that it had been ARP poisoned? I know you can tell that a packet has been NAT'd, at least on the ends of a VPN tunnel (in which I have some experience), so I assume you would be able to detect ARP poisoning. A traceroute would have one more hop than expected as well, wouldn't it?

Edit: I just thought of something else. Wouldn't this be one-way only? How does a returning packet from outside of your network know to go to host C? Would you assume you have poisoned host R to also think host B was host C? I would suppose you would have to do that as well.

Yeah, that's why there are two commands.../bonk



arpspoof -t 192.168.0.1 192.168.0.10 2>/dev/null &
arpspoof -t 192.168.0.10 192.168.0.1 2>/dev/null &


Nothing to see here folks, just a curious geek trying to learn something...

lol Well I'm glad folks had fun figuring this out.

Yes SEQ is running on a Linux box that is NOT the gateway. It's just another box in the internal (NATed) network. In my case [192.168.0.20]

I have to love all the folks that said just go buy a hub after I specifically put "If you can't figure out how to do this from what I've just said then forget about it and go buy a hub."

Talk about redundant posters.

As for can you tell if someone is ARP poisioning. Hell yes! There are articles out there on this, along with detecing a NIC in promiscuous mode. Though I'm not sure about the later in a switched network but for them to be doing something nasty they'd have to be ARP spoofing anyway.

NOTE: The ARP poisioning is continuous. Your not running the command once and walking away. That's what the "&" is for in the script given.

The single & just forces the process into the background. It doesn't in and of itself make the program continue running. Other than that it is an interesting solution that while more complicated does work. This would have worked at my last job where I wasn't allowed to add any network equipment to the network, but could have poisoned the ARP table of the switch in the cube that all the machines were hooked to (I had both a Win2k and Linux boxen running for my job).

Yeah sorry didn't mean to imply that. arpspoof runs continuously though as it needs to.

If you were doing this on a work network the Net Admin MIGHT get a bit upset over it if she/he noticed. It will increase network traffic and the lights for the effected ports on the switch would be flashing pretty constantly. :)

It's somewhat complicated but saves me replacing my 100MB switch with a cheap hub just for when I'm playing EQ and want SEQ running.

My network setup when using SEQ:



DSL ------> Hub --------> Switch ---------> Computers
|
SEQ Box


Didn't have to get rid of anything for all my machines and since the best speed I can get off DSL is only 7Mbit down/1MBit up (I can't afford this speed, but it is the Max that can be gotten for DSL), latency from going to the hub isn't a real issue and all my other systems can continue to enjoy full 100Mb full duplex Switched environment (which is good since several of my systems stream videos throughout the house [2.5 - 8Mb/s per system receiving the stream])

Whilst I said replacing I meant in the context of where it sits in the network.

A hub really wouldn't be a big deal, but my thought was why bother when I don't need it. Well actually it was more I couldn't be bothered going to the shop to buy one and already knew about arpspoofing so just set things up that way.

It's nice to still have a 100MB full duplex switch between my Linux box and the other PCs in my network as is and it's used for more then just SEQ. Though nothing it couldn't do just as easily (though perhaps a little more slowly) with a 10MB hub.

Woo woo, thanks. ;)

Been hoping for a way to do something like this for about a year now heh. I have been using a crap 10mbit for a while now, but since I use my SEQ box as a general fileserver for everyone in my house it needs more than 10mbit, so I went out and bought a new 100mbit hub, being extra careful to make sure it wasn't a linksys and didn't have "switch" written ANYWHERE on the packaging.

It was, of course, a switch.

Because of the crappy return policy, I couldn't return it (I argued with the guy behind the counter, and eventually the manager/owner. Eventually, after 30 minutes and had pretty much given up hope, I threatened to sue him for false advertising because his "hub" was really a switch. He told me to "get the **** out of my store and don't ever come back." I left, never went back, and never bothered to file such a stupid lawsuit heh) and didn't have the money nor desire to spend $30-$40 on another switch. I have 4 in my house at this point- the router, my 10mbit hub, my 100mbit "hub", and my roommate's switch. Enough is enough. I can't afford to blow money away on something that's not guaranteed to work.

And I don't know where this $10 hub thing came from- I don't work for any hub manufactorers, cheapest price I can get at the local stores are $35 before tax, I don't trust ebayers and they're at least $25 anyway. (well, $15 + $10 S&H :p)

Just for ha ha's, here's a 100 mbit "hub" on ebay (there are a bunch, I just focused on 3com)... Granted there are 2 days left to the auction, but the price at the moment for this one is $1.

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=2049647289

It's a 3COM Super Stack II Hub 100 TX 3C250C -TX12 which should be easy enough to verify on 3com's web site...







hub hub hub hub hub hubabbubabubb

I use a Cisco 2924 switch, and the solution is quite simple. Cisco switches come with the built in ability to "SPAN" ports, meaning you can sniff traffic to and from port A & B from port C.

If anybody is interested in learning how to do it, this link has a great explanation for each series of switch:

http://www.cisco.com/warp/public/473/41.html

I enjoy the benefits of having a fully switched network - buying a HUB was not an option for me. I assume it's not an option to a lot of others for that very same reason.

--joshua

But again, remember that the people who are having a hard time understanding the concept of a switch are going to have an even harder time with the concept of setting a switching device to broadcast packets on alternate ports... Not that it's a bad idea, but I'd venture that Cisco switches are significantly more expensive than most people want to spend there money on...

Ah well :)

Yes the more expensive switches (read managed) generally have an option for an administrative port that gets all the data broadcast to it for just these sorts of things. We use a HUB attached to just such a port at work to monitor traffic for billing and intrusion detection purposes.