2

I have access to a linux server that is acting as the gateway to an internal network.

There is a MagicJack Plus device plugged into this network via CAT5.

The MagicJack gets its ip via DHCP from the linux server, and I've determined which IP address it was issued.

I've nmaped that ip, but I couldn't discover any open ports on the MagicJack Plus device.

I'm curious about how it communicates, especially which ports it actually uses. I'd like to monitor which ports it uses during a 24 hour period. I'd be very interested in seeing if it tries to communicate with any other computers that it doesn't need to (on the local network).

Ultimately, I want to lock that device down, so that it only has access to what it needs and nothing more.

The linux server only has a web app gui and commandline, how can I monitor and log the network activity of the "IP of this device" to discover what ports it actually uses, what it tries to access, and how much bandwidth it uses?

LonnieBest
  • 1,450
  • 4
  • 21
  • 36

1 Answers1

2

To get all the traffic your device generates do the following:

  1. Plug the device directly into your host's port (i.e. into a dedicated Ethernet adapter)
  2. Given eth1 is the name of your host's network adapter you dedicated for testing (see above) use this command to write a packet log to a file:

    $ sudo tcpdump -s 65535 -i eth1 -w ~/device.pcap
    
  3. Leave that command running for some period of time (like 24 hours).
  4. Use the device like you usually do to make it (probably) generate some traffic.
  5. Interrupt the tcpdump with Ctrl-C
  6. Examine the traffic dump file ~/device.pcap with any tool you like, e.g. wireshark

EDIT:

If your device refuses to work without an IP address you might want to set a dhcp server for it. I suggest using dnsmasq for these purposes, like this (run on your testing host):

# ifconfig eth1 192.168.100.1/24 up
# dnsmasq --bind-interfaces --conf-file= --interface eth1 --listen-address 192.168.122.1 --dhcp-range 192.168.100.2,192.168.100.254