5

I am aware of the various techniques that there are to sniff around a network that has Hubs or Switches (port mirroring, hubbing out, use of taps), but I am not sure which method would be more efficient in a home network that has the following architecture.

  • My goal is to monitor the whole network to create a baseline of a normal behaviour.
  • Currently I am doing the monitoring using a laptop connected on the same wireless network, using Wireshark.

Is this sufficient?

Network Topology

Irene Ant
  • 659
  • 7
  • 19
  • Does your router support sending netflows ? – Tensibai Sep 27 '17 at 12:00
  • @Tensibai, no I don't think so. So you suggest that the best way would be to monitor the traffic from the router? I d probably need one with a custom firmware. – Irene Ant Sep 27 '17 at 12:03
  • That's the central point of communication so it makes sense to mirror the traffic to a port or to export netflows from it as it will see any traffic. Side note your colors for different medium are too close and I'm unsure of what's what on your schema, try to think of color blind people when doing a schema that ease the reading for everyone :) – Tensibai Sep 27 '17 at 12:06
  • @Tensibai, okay I will think about it. Yes sorry, all of it is wireless apart from the communication between the Hive and Sensors. – Irene Ant Sep 27 '17 at 12:07
  • As long as everything is wireless I assume a promiscuous capture on the laptop would do as long as your laptop interface handles Zigbee protocol to really capture it but I can't swear on this part. 5there's also a chance to miss frames from distant systems) – Tensibai Sep 27 '17 at 12:09

1 Answers1

3

First case: Your sky router has a mirroring port / You can dedicate a port to mirroring.

Should be very simple to tap the traffic, check your router specs/doc.

Second case: you want to do it by implementing new hardware in your topology.

With the following:

  • You want to tap Outbound and Inbound traffic.
  • This sky Router is not your WAN Gateway.
  • You don't want to tap local traffic, (For instance: MacBook -> skyRouter -> IPCamera)

Here is how I would do it:

+--------------+  +--------------+  +-------------------+  +-----------+  +------------+
| The Internet +--+ ISP's router +--+ Transparent proxy +--+ SkyRouter +--+ Endpoints | 
+--------------+  +--------------+  +-------------------+  +-----------+  +------------+

In the scheme above The transparent proxy is the sniffer.

If both cases don't suit you for some reason, there is a dirty way of doing it. You can set your MacBook Wifi NIC into promiscuous mode and tap Traffic.

Keep in mind that this method results won't be accurate. You will tap traffic that has nothing to do with your network and might miss some traffic of yours.

I don't recommend it

Baptiste
  • 1,643
  • 10
  • 20
  • Yeah at the moment I am using my MBPs NIC in promiscuous mode and listening to the traffic, but I don't think that gives me accurate results. I might try the first solution. – Irene Ant Sep 29 '17 at 01:11