1. Home
  2. pfSense® Software
  3. Wireless
  4. How do you capture Subnetwork packets in Pfsense ?

How do you capture Subnetwork packets in Pfsense ?

  • U

    Hello ,

    I have a pfSense installed as a Router in my local network  & am able to trace all the ip passing through LAN or wlan in my local network. but how can i trace the traffic of subnets under my local network. ?

    Architecture :- Let me explain my architecture to you, I have a local network of 192.168.1.0/24 and I can monitor all the LAN/WLAN traffic of this network. Now Let us suppose if a user with ip 192.168.1.10 makes a hotspot/wifi using his system and creates a subnetwork of 10.10.2.0/24 range. So,will I be able to detect the traffic/Packets of this subnetwork which is created by making hotspots. ?

    Thanks in Advance

    0
  • C

    @user5901:

    Now Let us suppose if a user with ip 192.168.1.10 makes a hotspot/wifi using his system and creates a subnetwork of 10.10.2.0/24 range. So,will I be able to detect the traffic/Packets of this subnetwork which is created by making hotspots. ?

    In that circumstance the 10.10.2 won't be visible beyond that client itself, as it'll NAT everything to 192.168.1.10. On your network, it looks like a single device.

    0
  • johnpoz
    LAYER 8 Global Moderator

    Are you asking how to detect downstream NATs that are using multiple clients?  Normally this is done by looking at the TTL of the traffic coming from the hosts..  Since any nat routers, even pfsense normally removes 1 from the TTL value.

    So windows for example normally sends packets with TTL of 128, if your seeing packets at pfsense with TTL of 127, then that packet went through a router(hop) that did or did not do nat..  You could do this automatically with switch before pfsense sending sflow to some sort of analyzer that was looking for this and logging/alerting on it.

    You could also use some form of OS fingerprinting on the traffic and looking at other details in the traffic look for something that points to different OSes being used from the same IP at the same time.  Since it is possible to configure your router not to decrement the TTL if your trying to hide your NAT…  Have done this back in the day when some ISPs where saying you could only have 1 device connected, etc..

    Do a simple google for nat discovery/detection

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy