See also BuildingABridgePC.

I built a PC that can be used as a transparent bridge. It runs FreeBSD. The password may be found in the password box.

Theory of operation

It has three network interfaces, each are labelled on the back of the case. These devices can be brought up in one of two modes: bridged, or not.

When the machine is not bridged, it will bring up em0 as lusankya.cscf, and won't configure em1 at all. Use this mode for doing things like OS updates.

When the machine is bridged, it brings up the em devices without IPs, and bridges traffic transparently between them. No firewall rules are applied, although one could use ipfw or pf in order to do so. I'm not sure if it's possible for the device being monitored to tell that such is happening, but it would at least be non-trivial and malware authors are unlikely to go to that extent.

In either mode, the third interface fxp0 is brought up with a private IP (192.168.15.1) as a management interface. It then runs DHCP. This interface can be used with a crossover cable and a laptop or other networked device, and then the admin can ssh in and run processes.

It is recommended that network traces and such be stored in /nsm (for network security monitoring).

Usage

Usage is pretty simple; the machine doesn't do much. You'll need a crossover ethernet cable, a straight through ethernet cable, a power cable, and a laptop.

Plug the laptop into the management interface and ensure that it gets an IP, and that you can ssh in. Ensure that /etc/rc.conf is set up to bridge the two interfaces together - you may need to make changes and restart networking (or just reboot).

Start running tcpdump on the bridge interface (hint: tcpdump -i bridge0 -s 0 -w /nsm/hostname_date is a good place to start).

Unplug the PC you are investigating from its network drop, and plug that cable into one of the two bridged devices (I usually choose em0). Plug the other interface into the wall drop. tcpdump should then start grabbing packets.

Once you're done, stop the tcpdump and then you can copy off the trace file to your laptop for further analysis. wireshark/ethereal will read pcap files, as will many other network and forensics utilities.

-- MikePatterson - 11 May 2006, 27 November 2006

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2007-06-12 - MikePatterson
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback