PDA

View Full Version : Log all communication on router


ripcurlksm
12-09-2009, 11:13 PM
I have a Linksys WRT54G Router and I would like to capture all email or messages that are sent through it. I have the incoming and outgoing logs turned on and I can monitor IP address and port access, but is it possible to capture all communication to a log?

Cokebottle
12-09-2009, 11:43 PM
Definitely not with that level of router, and I'm not even sure it's possible to do that with a gateway server unless you are using a local Outlook client with the server acting as an MS Exchange server... but that would only store email, calendar, contacts, etc... basically a mirror of the Outlook database.

Anything other than that would have no way to differentiate an email from a web request.... in or out. It would be a combination of a keystroke logger with a storage buffer for all inbound data.... totally unmanageable.

Turo
12-09-2009, 11:46 PM
Not really able to do it with just a router. If you had a gateway setup, you can see the web pages requested, but other than that it's not really feasible.

I've got a gateway setup in my house with roommates and we can see websites and most traffic that goes through, but email is a different animal. Plus, some people use websites for email rather than a local client, so you would have to be able to differentiate.

ripcurlksm
12-09-2009, 11:48 PM
ok thanks

JDay
12-10-2009, 12:14 AM
I have a Linksys WRT54G Router and I would like to capture all email or messages that are sent through it. I have the incoming and outgoing logs turned on and I can monitor IP address and port access, but is it possible to capture all communication to a log?

If you put a 3rd party firmware on it you can setup an iptables policy that will log specified packets. You will need to log to a SMB share though because the router does not have enough storage for log files really.

JDay
12-10-2009, 12:16 AM
Not really able to do it with just a router. If you had a gateway setup, you can see the web pages requested, but other than that it's not really feasible.

I've got a gateway setup in my house with roommates and we can see websites and most traffic that goes through, but email is a different animal. Plus, some people use websites for email rather than a local client, so you would have to be able to differentiate.

You could log all traffic on urls that have mail in them, the problem though is that most providers use SSL for webmail.

NSR500
12-10-2009, 12:48 AM
Maybe you can do that with a ClarkConnect server/firewall/gateway. The WRT54G will just be run as a WAP off of the CC machine.

goldleviathan
12-10-2009, 1:30 AM
This was kind of a creepy question to begin with.

Turo
12-10-2009, 2:46 AM
This was kind of a creepy question to begin with.

Not really, if the OP wanted to monitor their kids' actions online, it would be a very valid question.

goldleviathan
12-10-2009, 2:59 AM
Not really, if the OP wanted to monitor their kids' actions online, it would be a very valid question.

Yeah, I'm sure that's what he wanted to do.

Cokebottle
12-10-2009, 7:58 AM
Yeah, I'm sure that's what he wanted to do.
What else then?

Maybe he runs a small business. Email and web activity through business systems has no expectation of privacy.

It's his router (obviously has access to configure logs, and you have to be hardwired to do that to the WRT54G), it's not a matter of stalking or bugging a neighbor.

ripcurlksm
12-10-2009, 8:15 AM
My purpose is not malicious. Thanks for your time.

nick
12-10-2009, 8:45 AM
You could log all traffic on urls that have mail in them, the problem though is that most providers use SSL for webmail.

Many use HTTPS/SSL for authentication, but then drop to HTTP when one actually checks mail.

Depending on the setup (which I don't know), real requirements, and how important the project is (i.e. how much money you're willing to drop on it) the OP can:

1. Install third-party firmware on the WRT (dd-wrt, tomato, or sveasoft are the ones that come to mind, I'm sure there're more packages out there), and either configure it to offload syslog to some host on his network, or, like JDay said, to offload all the traffic (might be too taxing on the WRT, they're not exactly powerful).

2. Get a switch that supports SPAN/smart/monitoring/whatever else the manufacturers call them ports (the ports to which the router can copy all the traffic passing through the monitored switch port). For that matter, I wouldn't be surprised if some third-party WRT firmware supported this.

On the host connected to the SPAN port, either configure a packet sniffer (wireshark is free and pretty good), or install some specialized traffic monitoring software. Cyber Predator (http://www.ingenuity.co.uk/cp/cp.asp?internet monitor, web filtering, site blocking, email monitoring) is pretty good and fairly cheap.

3. Consider logging on the internal hosts. There're hundreds of software packages for that.

skip
12-10-2009, 8:51 AM
not for the router, but you can use a keystroke logger like this:

http://www.sci-stor.com/store/catalog/Keyboard-KeyStroke-Logger-p-1-c-453.html

ocabj
12-10-2009, 9:17 AM
If you want to "log all communication", are you saying you want to see every single packet and then analyze the content of every packet? Even if you had the capability to mirror ports on a consumer/home router, you'd still need to setup a computer and facility to manage that analysis.

We have hosts monitoring all the links at our borders for campus, and even then we're only logging flow data, not packet contents.

If you want to just monitor web traffic, you can setup squid (http://www.squid-cache.org/) and force all your computers to use the local squid proxy.

JDay
12-10-2009, 3:44 PM
not for the router, but you can use a keystroke logger like this:

http://www.sci-stor.com/store/catalog/Keyboard-KeyStroke-Logger-p-1-c-453.html

You run into legal problems when you start capturing logins for personal accounts with that.

JDay
12-10-2009, 3:46 PM
If you want to just monitor web traffic, you can setup squid (http://www.squid-cache.org/) and force all your computers to use the local squid proxy.

Squid is nice, caches sites that are accessed often so you cut down on bandwidth use and you can block access to sites with it as well (although using OpenDNS allows you to block site access too).

G17GUY
12-10-2009, 10:26 PM
http://www.spectorsoft.com/

high_revs
12-10-2009, 10:42 PM
the best thing i did for my wrt54g is reflash it with dd-wrt. i just checked its gui and there's no logging capable that you're looking for. only for router behavior and performance. but... my router has been so much more stable than the crappy oem firmware. i might have been able to save the old router (wrt also) if i just reflashed it first before throwing it away!

Cokebottle
12-10-2009, 11:26 PM
the best thing i did for my wrt54g is reflash it with dd-wrt. i just checked its gui and there's no logging capable that you're looking for. only for router behavior and performance. but... my router has been so much more stable than the crappy oem firmware. i might have been able to save the old router (wrt also) if i just reflashed it first before throwing it away!
Mine still seems to function fine as a router, but the wireless hasn't connected for a year or two.
Starts to connect, and the client just says something about "waiting for network to get ready" or something like that.

But now that you mention it, I have been getting some odd "hanging" in the browser every now and then. It seems more like it's local, but now I'm wondering if it's related to the router. I really don't need wireless since I'm only running one machine and have a spare cable tucked behind the desk for the laptop and I'm hardwired to the BD player, I really only need a router.
What kind of problems did you have when it started failing?

high_revs
12-11-2009, 9:22 AM
cokebottle, what failed first was the wifi piece for me. actually, one last one i flashed was actually my 3rd wrt54 router too (i think). i had to connect hardwire in the end. but you don't need to reflash if you don't need the wifi piece.

Cokebottle
12-11-2009, 12:01 PM
cokebottle, what failed first was the wifi piece for me. actually, one last one i flashed was actually my 3rd wrt54 router too (i think). i had to connect hardwire in the end. but you don't need to reflash if you don't need the wifi piece.
I was curious about the firmware. I've got the WRT54GS v.2 and its running 3.37.6. I downloaded the latest Cisco firmware which is 4.71.4 from 2008, but was wondering what the difference was.
I keep seeing references to the DD-WRT turning it from a $60 router into a $600 router and was curious what that was all about as well.

For the time being, I've just completely disabled the wireless functionality to keep a neighbor from brute-forcing the system.

JDay
12-11-2009, 6:41 PM
the best thing i did for my wrt54g is reflash it with dd-wrt. i just checked its gui and there's no logging capable that you're looking for. only for router behavior and performance. but... my router has been so much more stable than the crappy oem firmware. i might have been able to save the old router (wrt also) if i just reflashed it first before throwing it away!

SSH into the router and you get much more control.

JDay
12-11-2009, 6:46 PM
I was curious about the firmware. I've got the WRT54GS v.2 and its running 3.37.6. I downloaded the latest Cisco firmware which is 4.71.4 from 2008, but was wondering what the difference was.
I keep seeing references to the DD-WRT turning it from a $60 router into a $600 router and was curious what that was all about as well.

Check it out.

http://www.dd-wrt.com/demo/

http://www.dd-wrt.com

For the time being, I've just completely disabled the wireless functionality to keep a neighbor from brute-forcing the system.

If you use WPA2 encryption with a strong password this wont happen. Its not like WEP where you just need to capture some packets to crack the key.