UsingTheBridgePC < CF

CF Web>BuildingABridgePC>UsingTheBridgePC (2007-06-12, MikePatterson) (raw view)

See also BuildingABridgePC.

I built a PC that can be used as a transparent bridge.  It runs !FreeBSD.  The password may be found in the password box.

---+++ Theory of operation

It has three network interfaces, each are labelled on the back of the case.  These devices can be brought up in one of two modes: bridged, or not.

When the machine is not bridged, it will bring up =em0= as _lusankya.cscf_, and won't configure =em1= at all.  Use this mode for doing things like OS updates.

When the machine is bridged, it brings up the em devices without IPs, and bridges traffic transparently between them.  No firewall rules are applied, although one could use =ipfw= or =pf= in order to do so.  I'm not sure if it's possible for the device being monitored to tell that such is happening, but it would at least be non-trivial and malware authors are unlikely to go to that extent.

In either mode, the third interface =fxp0= is brought up with a private IP (192.168.15.1) as a management interface.  It then runs DHCP.  This interface can be used with a crossover cable and a laptop or other networked device, and then the admin can ssh in and run processes.

It is recommended that network traces and such be stored in =/nsm= (for network security monitoring).

---+++ Usage

Usage is pretty simple; the machine doesn't do much.  You'll need a crossover ethernet cable, a straight through ethernet cable, a power cable, and a laptop.

Plug the laptop into the management interface and ensure that it gets an IP, and that you can ssh in.  Ensure that =/etc/rc.conf= is set up to bridge the two interfaces together - you may need to make changes and restart networking (or just reboot).

Start running tcpdump on the bridge interface (hint: =tcpdump -i bridge0 -s 0 -w /nsm/hostname_date= is a good place to start).

Unplug the PC you are investigating from its network drop, and plug that cable into one of the two bridged devices (I usually choose =em0=).  Plug the other interface into the wall drop.  tcpdump should then start grabbing packets.

Once you're done, stop the tcpdump and then you can copy off the trace file to your laptop for further analysis.  wireshark/ethereal will read pcap files, as will many other network and forensics utilities.

-- Main.MikePatterson - 11 May 2006, 27 November 2006

Topic revision: r3 - 2007-06-12 - MikePatterson

Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.

Other Webs

My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images

Edit