Stéphane CARPENTIER <sc@fiat-linux.fr> writes:

> Le 13-06-2021, Dan Espen <dan1espen@gmail.com> a écrit :
>> Marc Haber <mh+usenetspam1118@zugschl.us> writes:
>>
>>> Dan Espen <dan1espen@gmail.com> wrote:
>>>>That's a lot of output.
>>>>I wondered if there was some easier way to look at what is going on.
>>>>Which led me to install wireshark.
>>>>Looks like it is simpler to use tcpdump.
>>>
>>> It is not. Just way more confusing for the beginner.
>>>
>>> I recommend filtering away the "noise" (using "not foo and not bar"
>>> expressions) instead of just selecting what you want to see.
>>
>> I start up wireshark, it shows me 5 interfaces, none of which make sense
>> to me. I leave them enabled, type something in the filter box.
>>
>> At this point I have no idea what to do next to see anything.
>>
>> It sure is confusing for this beginner.
>
>
> If you have systemd on your computer with the default, you should have
> an interface beginning with wlp (for wifi) or enp (for Ethernet). You
> chose the one you are using. To help you, there is the trafic seen on the
> interfaces on the right of the names. You can choose any if you want to
> see all the trafic, it will be just more noisy.
>
> If you know an http (not https) website you can do something like (I
> don't know the exact English terms in the menu) :
> Analyse -> Follow -> http stream
>
> It's very interesting to begin with.
>
> Maybe you don't encrypt your connexion when you read/write the
> newsgroups and you can follow the TCP stream.

I have:

Cisco Remote Capture
Displayport AUX
systemd journal
ssh remote
UDP listener

They all seem to be selected.

I type my host name into the filter box

Select Analyse->Filter

All choices are greyed out.

--
Dan Espen

>>> I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
>>> being 192.168.0.1, and they all can "see" each other. There was no need
>>> for any "port mirroring" or other configurations after I received it.
>>
>> Usually, on a properly functioning switch, Client B cannot "see" the
>> traffic that occurs between Clients A and C despite being able to both
>> communicate with A and C.
>
> WiFi is a different beast: It is more like the original
> yellow coax cable Ethernet, where everybody heard everyting
> going on the network.
>

But if you use WiFi encryption then you at least have to manage to
decrypt first - yes not impossible, but with some encryption schemes not
trivial.

Le 13-06-2021, Dan Espen <dan1espen@gmail.com> a écrit :
> Stéphane CARPENTIER <sc@fiat-linux.fr> writes:
>
>>
>> If you have systemd on your computer with the default, you should have
>> an interface beginning with wlp (for wifi) or enp (for Ethernet). You
>> chose the one you are using. To help you, there is the trafic seen on the
>> interfaces on the right of the names. You can choose any if you want to
>> see all the trafic, it will be just more noisy.
>>
>
> I have:
>
> Cisco Remote Capture
> Displayport AUX
> systemd journal
> ssh remote
> UDP listener
>
> They all seem to be selected.

The one I have described should be above the one you have listed.

> I type my host name into the filter box
>
> Select Analyse->Filter
>
> All choices are greyed out.

Once you have selected your interface, you have to start the capture,
then you select a packet related to the flux and then you can follow the
stream.

--
Si vous avez du temps à perdre :
https://scarpet42.gitlab.io

On 13 Jun 2021 15:30:38 GMT, Stéphane CARPENTIER wrote:

[...]

> The WPA is only taking care of what's going on between your laptop and
> your box. So everything you send from your laptop is encrypted between
> your laptop and your box by the WPA.
>
> After the packets left your box, it depends. If you put a VPN,
> everything will be encrypted between your computer and the end of your
> VPN. If you have nothing special, the ping won't be longer encrypted
> except from some part of the way which can be encrypted. The https will
> be encrypted from begin to end whatever the rest.

That's about what I wanted to say.
--
Andreas

PGP fingerprint 952B0A9F12C2FD6C9F7E68DAA9C2EA89D1A370E0

Stéphane CARPENTIER <sc@fiat-linux.fr> writes:

> Le 13-06-2021, Dan Espen <dan1espen@gmail.com> a écrit :
>> Stéphane CARPENTIER <sc@fiat-linux.fr> writes:
>>
>>>
>>> If you have systemd on your computer with the default, you should have
>>> an interface beginning with wlp (for wifi) or enp (for Ethernet). You
>>> chose the one you are using. To help you, there is the trafic seen on the
>>> interfaces on the right of the names. You can choose any if you want to
>>> see all the trafic, it will be just more noisy.
>>>
>>
>> I have:
>>
>> Cisco Remote Capture
>> Displayport AUX
>> systemd journal
>> ssh remote
>> UDP listener
>>
>> They all seem to be selected.
>
> The one I have described should be above the one you have listed.
>
>> I type my host name into the filter box
>>
>> Select Analyse->Filter
>>
>> All choices are greyed out.
>
> Once you have selected your interface, you have to start the capture,
> then you select a packet related to the flux and then you can follow the
> stream.

Wireshark seems to be more aware when started as root.
Still haven't displayed anything interesting with it,
I think I need to explore it more.

--
Dan Espen

On 13.6.21 18.58, Dan Espen wrote:
> Stéphane CARPENTIER <sc@fiat-linux.fr> writes:
>
>> Le 13-06-2021, Dan Espen <dan1espen@gmail.com> a écrit :
>>> Marc Haber <mh+usenetspam1118@zugschl.us> writes:
>>>
>>>> Dan Espen <dan1espen@gmail.com> wrote:
>>>>> That's a lot of output.
>>>>> I wondered if there was some easier way to look at what is going on.
>>>>> Which led me to install wireshark.
>>>>> Looks like it is simpler to use tcpdump.
>>>>
>>>> It is not. Just way more confusing for the beginner.
>>>>
>>>> I recommend filtering away the "noise" (using "not foo and not bar"
>>>> expressions) instead of just selecting what you want to see.
>>>
>>> I start up wireshark, it shows me 5 interfaces, none of which make sense
>>> to me. I leave them enabled, type something in the filter box.
>>>
>>> At this point I have no idea what to do next to see anything.
>>>
>>> It sure is confusing for this beginner.
>>
>>
>> If you have systemd on your computer with the default, you should have
>> an interface beginning with wlp (for wifi) or enp (for Ethernet). You
>> chose the one you are using. To help you, there is the trafic seen on the
>> interfaces on the right of the names. You can choose any if you want to
>> see all the trafic, it will be just more noisy.
>>
>> If you know an http (not https) website you can do something like (I
>> don't know the exact English terms in the menu) :
>> Analyse -> Follow -> http stream
>>
>> It's very interesting to begin with.
>>
>> Maybe you don't encrypt your connexion when you read/write the
>> newsgroups and you can follow the TCP stream.
>
> I have:
>
> Cisco Remote Capture
> Displayport AUX
> systemd journal
> ssh remote
> UDP listener
>
> They all seem to be selected.
>
> I type my host name into the filter box
>
> Select Analyse->Filter
>
> All choices are greyed out.

It seems that you do not have the rights to capture
from a real interface. The listed things are all
remote capture helpers.

Please read the Wireshark instructions at:
<https://wiki.wireshark.org/CaptureSetup/CapturePrivileges>

You do need root privileges to set up the capture rights.

--

-TV

Le 13-06-2021, Dan Espen <dan1espen@gmail.com> a écrit :
>
> Wireshark seems to be more aware when started as root.

Sorry, I forgot. There are two reasons to use wireshark. Either to look
at what has been captured by someone else. In this case there is no need
to have root privileges.

The other way is to capture network traffic. And for that, you need root
privileges but it's a bad idea to launch it as root (it should tell you
so). Because if there is a bug, it's a real security breach. So, the
better way is to add your user to the group wireshark instead of
launching it as root.

--
Si vous avez du temps à perdre :
https://scarpet42.gitlab.io

On Sun, 13 Jun 2021 14:00:15 -0400, Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:
> It seems that you do not have the rights to capture
> from a real interface. The listed things are all
> remote capture helpers.
>
> Please read the Wireshark instructions at:
> <https://wiki.wireshark.org/CaptureSetup/CapturePrivileges>
>
> You do need root privileges to set up the capture rights.

Note that wireshark can capture traffic if the user running it is in the right
group (usually also called wireshark).

And don't forget to logout/in for any changes to group membership to take effect.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>I a not going to explain networking from scratch, but I will try to
>elaborate a bit on my initial answer.

You did that well. I would not have been able to find this degree of
terseness while still staying on this side of invalid simplification.
Kudos.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

On 13.6.21 21.30, David W. Hodgins wrote:
> On Sun, 13 Jun 2021 14:00:15 -0400, Tauno Voipio
> <tauno.voipio@notused.fi.invalid> wrote:
>> It seems that you do not have the rights to capture
>> from a real interface. The listed things are all
>> remote capture helpers.
>>
>> Please read the Wireshark instructions at:
>> <https://wiki.wireshark.org/CaptureSetup/CapturePrivileges>
>>
>> You do need root privileges to set up the capture rights.
>
> Note that wireshark can capture traffic if the user running it is in the
> right
> group (usually also called wireshark).
>
> And don't forget to logout/in for any changes to group membership to
> take effect.
>
> Regards, Dave Hodgins
>

Root privileges are needed here, too: The adding of a group
for an user needs root privileges.

--

-TV

On 13/06/2021 12:00, Marc Haber wrote:
> Dan Espen <dan1espen@gmail.com> wrote:
>> Marc Haber <mh+usenetspam1118@zugschl.us> writes:
>>
>>> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>>> I see you dont understand basic networking
>>>>
>>>> When you do, please respond intelligently
>>>
>>> Pascal is right, and my upbringing forbids me to say what I think
>>> about you.
>>
>> He may be right, but it would be nice if he gave some hints so some of us
>> could learn something.
>
> The problem is that TNP's musings are so absurd that it would need to
> write a textbook way beyond any tl;dr to properly explain that. TNP
> has got all those pesky little network layers mixed up that one would
> nee to start from Adam and Eve to properly explain that.
>
nice ad hominem and get out clause
But no alternative explanation given

> Greetings
> Marc
>

--
"If you don’t read the news paper, you are un-informed. If you read the
news paper, you are mis-informed."

Mark Twain

On 13/06/2021 14:57, Pascal Hambourg wrote:
> Le 13/06/2021 à 13:00, Marc Haber a écrit :
>> Dan Espen <dan1espen@gmail.com> wrote:
>>>
>>> He may be right, but it would be nice if he gave some hints so some
>>> of us
>>> could learn something.
>
> Of course. My apologies for the laconic answer. I had no time for a more
> complete answser and just wanted to prevent anyone from learning
> something wrong, hoping that someone else may add clarifications.
>
>> The problem is that TNP's musings are so absurd that it would need to
>> write a textbook way beyond any tl;dr to properly explain that. TNP
>> has got all those pesky little network layers mixed up that one would
>> nee to start from Adam and Eve to properly explain that.
>
> I a not going to explain networking from scratch, but I will try to
> elaborate a bit on my initial answer.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Well you have been completely unsucessful so far

--
"If you don’t read the news paper, you are un-informed. If you read the
news paper, you are mis-informed."

Mark Twain

Le 14/06/2021 à 18:28, The Natural Philosopher a écrit :
> On 13/06/2021 14:57, Pascal Hambourg wrote:
>>
>> I a not going to explain networking from scratch, but I will try to
>> elaborate a bit on my initial answer.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Well you have been completely unsucessful so far

Feel free to ask for any missing clarifications.

On Mon, 14 Jun 2021 09:06:57 -0400, Tauno Voipio <tauno.voipio@notused.fi.invalid> wrote:
> Root privileges are needed here, too: The adding of a group
> for an user needs root privileges.

That user doesn't need to have the root privilege. They just have to convince
whoever does, to make the change for them.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

On Sun, 13 Jun 2021 09:46:42 +0100, The Natural Philosopher
<tnp@invalid.invalid> wrote:

>On 13/06/2021 05:51, Margin wrote:
>> On Sat, 12 Jun 2021 13:26:08 +0100, The Natural Philosopher
>> <tnp@invalid.invalid> wrote:
>>
>>> On 12/06/2021 12:03, Marc Haber wrote:
>>>>> I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
>>>>> being 192.168.0.1, and they all can "see" each other. There was no need
>>>>> for any "port mirroring" or other configurations after I received it.
>>>> Usually, on a properly functioning switch, Client B cannot "see" the
>>>> traffic that occurs between Clients A and C despite being able to both
>>>> communicate with A and C.
>>>
>>> It all depends what you mean by 'see'...
>>>
>>> Switches will only relay packets to MAC addresses known to be on a given
>>> segment.
>>
>> Well, this is part of the problem ... "optimization" has
>> become a vulnerability. No one PC sees ALL the traffic
>> on the intranet.
>>
>I think that it has reduced vulnerabilities immensely as well as
>improving speeds dramatically
>
>It just makes your situation very hard to tackle.
>
>
>> Try Wireshark or equivalent - YOUR box will NOT see
>> everything going on.
>>
>> So, since I can't buy a gigabit+ HUB that ALL the traffic
>> passes through, the only solution seems to be to MAKE
>> one from scratch - and monitor from that. The hardware
>> requirements are not too high, one notch above a rPi4,
>> but the software might be a bit of a trick. SuperMicro
>> sells a dynamite "micro-server" board (does all KINDS
>> of stuff) that'd be perfect - you can even get it pre-boxxed.
>>
>> Basically, you need one "hub" that EVERYTHING has to
>> pass through for every LAN segment. If it's a small office
>> there will probably be only one segment ... 192.168.0.0/24
>> or whatever.
>>
>Thus crippling performance.

But not NEARLY as "crippling" as a ransomware attack.

In short - CHOOSE !

I have researched my problem and it IS "switches". They
hide a lot of network traffic. "Performance" is better, but
resistance to an outright deliberate attack is reduced.

You know, with gigabit-n-better ethernet, I can AFFORD a
small performance hit.

What's required is a MANAGED switch right in front of every
NAS box. You turn OFF MAC-learning basically turning the
thing into a conventional old-time "hub". Then all ports see
ALL the traffic. Plug a monitor into said hubs and record the
SMB/CIFS traffic. A Pi can do it.

>> So, what am I looking at .... CableModem -> firewall/router ->
>> "Hub" -> various switches ? The "central" distribution device
>> has to be the faux Hub - ALL traffic has to pass through it
>> with minimal slowdown.
>>
>buy a managed hub that *will* allow port mirroring and traffic
>monitoring. I am sure such exist.

I already ordered some. I see the problem and AM going
to fix it. You should too.

The performance hit can be greatly reduced by WHERE you
place the neo-"hubs". Ransomware will aim at public shares,
where your users store most of their files (easy to back up).
If it's a mapped drive or a faux-"drive" in Windows, that's the
path ransomware will take to do the most damage most
quickly.

So, put your "hub" as the last thing before your NAS boxes.
Record SMB traffic coming to THOSE boxes. By profiling it
the attacking box WILL be obvious and it can be thoroughly
purified - oxyacetylene might be appropriate ....

Oh, and NO software that "pushes" updates (and ransomware)
to all boxes at once. Convenience KILLS these days. New world.
Assume the worst. Adapt or die.