Since you apparently have physical access to the network connection, then insertion of an Ethernet hub is probably the simplest solution. Instead of inserting computer B between A and R, install the hub and also connect B to the hub. Run Wireshark on B to capture the network traffic.
If you do not already have an Ethernet hub, then you will have to be aware of the pitfalls of trying to acquire one. You cannot use a switch for this task, and some "hubs" are actually switches! Useful information on Ethernet hubs is here.
The computer B should be able to log everything that is passing through him.
Wireshark will certainly be able to capture/log all network packets transmitted by computer A and router R. Wireshark will setup the specified port to promiscuous mode so that the hardware will not filter out any received Ethernet frames.
Computer A and Router R shouldn't be aware of what's hapening (they should both think they are directly connected).
The only clue that there is a hub rather than a switch in the network is that the links are forced to operate at half duplex rather than full duplex. The net effect is that latency might be a little higher and throughput will be reduced. But these same conditions could also be caused by increased network traffic (or your proposed scheme of inserting Computer B), so a user would have to be astute to detect the presence of the hub (assuming it's not visible).
Any idea on the network configuration i should use ?
My preference when using Wireshark is to use a secondary Ethernet port of the computer, either a second NIC or a USB-to-Ethernet adapter. This scheme allows the configuration of the "sniffing port" to be customized without disrupting the configuration of the (other) port for "normal" network activity (e.g. IP address assignment by DHCP & Internet access). Of course this "sniffing port" should be assigned a (unique) static IP address in the same subnet as computer A.
This sniffing PC would optimally be running a Linux OS. Windows machines tend to ignore non-Windows machines on the network. Linux also has the ethtool command to disable transmission for the "pause parameter" and "checksumming", but I've never used these options, and don't know if they would help make this PC less detectable.
If you do use a Windows OS on the sniffer computer, then be sure to uninstall all protocols (e.g. Client for Microsoft Networks
, File and Printer Sharing for Microsoft Neworks
, Link-Layer Topology Discovery ...
) except Internet Protocol Version 4
under Local Area Connection Properties for the sniffer's Ethernet device.
Could you explain please more in details on which computer / network interface you want to do the analysis things? – laika – 2012-10-23T15:24:27.820
Edited my question, hope it's more clear now – IggY – 2012-10-23T15:30:03.117
Cool, interesting question. Trying to figure out now your situation. You'll need to do some port mirroring which is transparent to both sites. – laika – 2012-10-23T15:44:50.117
Taking back, I've forgotten you don't want ARP poisoning. My bad. – laika – 2012-10-23T15:51:47.520
1I also think it's interessant question ;) If I manage to have a good starting point here I'll open a GitHub project – IggY – 2012-10-23T16:05:31.493
Another approach that comes to my mind is kind of non-transparent proxy essentially starting on layer 2, which makes it in turn again a port mirrorer with added ability to modify the flow. – laika – 2012-10-23T17:37:25.457
Thinking of, that may be useful if e.g. in future A will be switched by C; C <---> R; (A) <---> B <---> R; where (A) is now a fake A, (software programmed), telling outside the R that "I exist" on queries by ISP. – laika – 2012-10-23T17:44:20.847
2If you can get an Ethernet hub, not a switch, then this is trivial to setup. Instead of inserting computer B between "A" and "R", install the hub and also connect "B" to the hub. Run Wireshark on "B" to capture the network traffic. – sawdust – 2012-10-23T19:09:16.763
@sawdust I think in this particular setup your solution is suitable, if IggY can plug the hub there. BTW IggY are there any reasons discarding use of ARP poisoning or it's a preliminary requirement for problem solution? – laika – 2012-10-23T19:25:38.143
@sawdust Great idea ! I will do it like this ! Actually ARP spoofing could be possible for this project but i wanted (just for the fun) to work on something "impossible" to detect. I think the hub in adition with some network configuration on the sniffer-computer could bring this 100% impossible to detect (but by following the cable ^^). Any idea on the network configuration i should use ? – IggY – 2012-10-24T08:35:34.527
Eh, I would be not so sure that sniffing machine is 100% non-detectable. At first take sure sniffer is not in promiscuous mode - not necessary with hub setup. At last (which covers all configuration) sniffer should not respond to ANY incoming traffic. – laika – 2012-10-24T20:10:29.133