Detecting traffic on network.

Ponster

How can I tell if someone is using my open wifi network with p2p software?

The network is open for several reasons but recently I've noticed extra traffic on it and my log files look something like this :


UDP 192.168.1.145 28379 c83-252-25-224.bredband.comhem.se (83.252.25.224) 25241 Unclassified
TCP 192.168.1.145 50790 77.247.176.151 (77.247.176.151) 80 Unclassified
TCP 192.168.1.145 50728 82-171-13-230.ip.telfort.nl (82.171.13.230) 6688 Unclassified
TCP 192.168.1.145 50764 dsl-tkubrasgw1-fed6de00-162.dhcp.inet.fi (80.222.214.162) 49044 Unclassified
TCP 192.168.1.145 50775 c83-248-209-80.bredband.comhem.se (83.248.209.80) 15850 Unclassified
UDP 192.168.1.145 28379 85.103.118.217 (85.103.118.217) 58446 Unclassified
TCP 192.168.1.145 50791 ANantes-257-1-149-248.w90-32.abo.wanadoo.fr (90.32.60.248) 3001 Unclassified
TCP 192.168.1.145 50280 ip70-162-236-168.ph.ph.cox.net (70.162.236.168) 56522 Unclassified
TCP 192.168.1.145 50738 dsl88.230-16848.ttnet.net.tr (88.230.65.208) 23672 Unclassified
TCP 192.168.1.145 50759 adsl-71-131-206-136.dsl.sntc01.pacbell.net (71.131.206.136) 58907 Unclassified
TCP 192.168.1.145 50781 77.247.176.134 (77.247.176.134) 80 Unclassified
TCP 192.168.1.145 50795 c83-254-151-200.bredband.comhem.se (83.254.151.200) 27125 Unclassified
TCP 192.168.1.145 50798 84-104-72-246.cable.quicknet.nl (84.104.72.246) 12500 Unclassified
TCP 192.168.1.145 50456 92.80.30.228 (92.80.30.228) 54304 Unclassified
TCP 192.168.1.145 50802 ip68-107-154-37.hr.hr.cox.net (68.107.154.37) 41620 Unclassified
TCP 192.168.1.145 50707 ip-83-134-151-81.dsl.scarlet.be (83.134.151.81) 45682 Unclassified


And so many connections open at once to so many different locations and ports seems like p2p doesn't it?

I have a WRT54GL router and tomato firmware (which allows me to access logs). I can close ports and such no problem but would like to know what the traffic is first.

Any help?

rmacm

It looks like p2p traffic alright. What device is the IP 192.168.1.145 associated with? If you know what hardware you have get the IP addresses of each piece of hardware and if none of your hardware has the .145 address then you know someone is taking advantage of your connection.

Turn on encryption on your router, why on earth would someone operate an open AP anyway.

Ponster

It's an open AP and needs to stay that way.

192.168.1.145 I'm guessing is the IP associated with the new laptop that the upstairs lady bought for her granddaughters birthday. It's only appeared since last week and is the only address out of 5 or 6 that's producing these type of logs.

Thx for your answer.

srdb20

Surely you can block all ports and merely have the ones you require open,

80, 443, etc.......???

Just a thought!!!

Ponster

Yes, I guess I could but I will also get calls from the neighbours everytime someone installs a game or piece of software that is blocked by the firewall/router and the idea is to make things as simple for me to manage as possible.

It could be worth doing and sorting out what needs to be opened on a day-by-day basis.

the_syco

If someone was to share 300 songs on their machine, you'll be the first port of call, as it's from your router that the 300 songs are being shared from.

From your posts on this thread, it would seem that the neighbours are allowed to use your broadband, but have you considered looking into throttling the "official" ports that are used by p2p software?

JimmyCrackCorn!

couple of options.

1. I did this as im a Nazi and no one listened to me when i did 2

Block all ports except TCP: 80,443,110,553,995,465,25,23,53
Block all udp traffic except: 53

Only open services up as requested!


2. Complain

3. Watch the logs and use a sniffer like wireshark to compile a list of trackers and block them. (let one tracker in and its all over)

4. Open Dns account will let you block bandwidth hogging sites using there interface. Make sure you block dns requests not handled by the router. Can be quite effective with minimal effort.

5. Threaten action. Block mac addresses of anyone you see hitting a tracker for a day. (requires effort)




The answer to your actual question is Wireshark with etercap under linux on the wired interface (using arp poisoning)

Ponster

Cheers all !

For info it's a community DSL service which is in my name today but is being transferred to a 'community' account (which was supposed to be done weeks ago). Once it's not in my name I couldn't care less who downloads what but until the paperwork is done I either cut everyone (always an option as it is still my Inet connection) or filter the traffic (as unobtrusively as possible).

If I knew that the papers get signed this week then I wouldn't be bothered my arse but this being France it'll probably take a while longer.

the_syco, I've looked at the logs and it seems that it's only one person and they don't seem to be using the same port each time. I'll just allow them a max of 5kb/sec and they'll soon give up.

JimmyCrackCorn!, I thought that Wireshar would only sniff the traffic on my pc's wireless connection as opposed to the traffic between the router and the other clients on the LAN? Either way, thanks for the help !

JimmyCrackCorn!

Ponster wrote: »

JimmyCrackCorn!, I thought that Wireshar would only sniff the traffic on my pc's wireless connection as opposed to the traffic between the router and the other clients on the LAN? Either way, thanks for the help !

Thats where ettercap comes in as it redirects traffic. Under windows you can forget sniffing wireless as it either costs money for hardware or plain doesn't work. The wireless card probably wont work under linux. What i suggested will work 99.9pc of the time.

WizZard

Thought of traffic-shaping/QoS? A guide for Tomato is here

srdb20

Ponster wrote: »

Cheers all !
the_syco, I've looked at the logs and it seems that it's only one person and they don't seem to be using the same port each time. I'll just allow them a max of 5kb/sec and they'll soon give up.

Just because it is not using the same port each time does not mean that it is not P2P.

Any P2P program has the option for you to statically assign the port you wish to use or choose a random port every time it starts up.

The above is just a caveat as if the router was in my name and i had even a hint of P2P sharing on it i would definitely block it, you have no idea what they could be sharing, etc...!!!!!

Ponster

Though if you look at the trace that I posted in my OP the source port and destination port on each line is different. if it was P2P (which I think it is) wouldn't the port on the destination side be the same at least until the program is started again ?

srdb20

It would be the same if it was a direct connection to one machine, but with P2P you would most likely be pulling bits from several sources with different ports open!!!