How to get a list of IP addresses connected to a WISP homebroadband router?

Discussion in 'Wireless Internet' started by Clément Durand, Aug 9, 2014.

  1. How do I find what machines are connected & their traffic?

    I can log into my ubiquiti Rocket M2 radio from Linux using:
    $ ssh -l ubnt <IP ADDRESS>

    Once in the "ash" shell, I see this:
    BusyBox v1.11.2 (2013-05-28 17:52:06 EEST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    XM.v5.5.6#

    Typing "help", I get these commands only:
    Built-in commands:
    -------------------
    . : [ [[ alias bg break cd chdir command continue echo eval exec
    exit export false fg getopts hash help jobs kill let local printf
    pwd read readonly return set shift source test times trap true
    type ulimit umask unalias unset wait

    I know the IP address of the home broadband router (192.168.1.100) which
    is connected to the radio, but my first question is how I would find that
    router IP address if I didn't already know it?

    Route -n doesn't seem to report the router (which is 192.168.1.100):
    XM.v5.5.6# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    10.50.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ath0
    0.0.0.0 10.50.0.1 0.0.0.0 UG 0 0 0 ath0

    My next question is the more important one.

    How do I find the IP addresses of the machines that are connected *to*
    that router? And how do I find their traffic?

    I tried "netstat -n", "ifconfig", etc., but none tell me the IP addresses
    connected to the home broadband router, nor their traffic IP addresses.

    Any ideas how to get a list of the IP addresses connected to the home
    broadband router?
     
    Clément Durand, Aug 9, 2014
    #1
    1. Advertisements

  2. Hopefully you can add more commands than those it says you have. I use
    curl for this:

    $ curl -s icanhazip.com
    Something would need to be monitoring such a thing so you could recall
    that logged data.
    I use nmap for this. And I am assuming you would just scan whatever the
    particular network happens to be. My internal network is 192.168.1.0/24
    for example. So I'd see what is on it with nmap:

    # nmap -sn 192.168.1.0/24

    You can download a fun little script I put together with the help of a
    few friends on the Ubuntu group. It shows various info about your
    machine using common commands.

    You can download it here: https://app.box.com/s/0f9w4j1f3xr4nawe99yb

    and the code is posted below in case you want to skim it.

    #!/bin/bash
    #############################################
    #
    # Name : linfo
    # Version : 1.7
    # About : Simple System Information
    # Updated : 2014-AUG-02
    #
    # Written by : Marek Novotny
    # Contributors : Chris Davies
    # Contributors : Jonathan N. Little
    # Contributors : Bit Twister
    #
    #############################################

    # version info
    Ver='1.7'
    VDate='2014-AUG-02'

    # user info
    HostName=$(hostname --short)
    UserName=$(id -un)
    UserID=$(id -u)
    FullName=$(grep $UserName /etc/passwd | cut -d':' -f5)

    GetGroups()
    {
    # get group name and GIDs
    IFS=$'\r\n'; Groups=($(grep $UserName /etc/group | sort \
    | cut -d':' -f1,3))
    #IFS=$'\r\n'; Groups=($(cat /etc/group | sort | grep $UserName \
    # | cut -d':' -f1,3))
    for i in ${Groups[@]}; do
    printf "%s\n" "Group Membership: $i"
    done
    }

    # Environment Variables
    EnvTerm=$(echo $TERM)
    if [[ $EnvTerm == "" ]]; then
    EnvTerm="Not Set"
    fi
    EnvCol=$(tput cols)
    EnvLines=$(tput lines)
    EnvShell=$(echo $SHELL)
    EnvEditor=$(echo $EDITOR)
    if [[ $EnvEditor == "" ]]; then
    EnvEditor="Not Set"
    fi
    EnvLang=$(echo $LANG)
    if [[ $EnvLang == "" ]]; then
    EnvLang="Not Set"
    fi
    EnvNNTP=$(echo $NNTPSERVER)
    if [[ $EnvNNTP == "" ]]; then
    EnvNNTP="Not Set"
    fi

    # machine info
    KernelRelease=$(uname -r)
    TaintStatus=$(cat /proc/sys/kernel/tainted)
    if [ $TaintStatus != 0 ] ; then
    TaintResults="Tainted ($TaintStatus)"
    else
    TaintResults="Not Tainted ($TaintStatus)"
    fi
    Mem=$(grep MemTotal /proc/meminfo | awk '{print $2}')
    CPU=$(grep -m 1 "model name" /proc/cpuinfo | cut -f2 | cut -c 3-)
    Cores=$(grep -m 1 "cpu cores" /proc/cpuinfo | cut -f2 | cut -c 3-)
    Siblings=$(grep -m 1 "siblings" /proc/cpuinfo | cut -f2 | cut -c 3-)
    if [[ $Cores == "" ]] && [[ $Siblings == "" ]]; then
    Cores="Not Detected"
    Siblings="Not Detected"
    HyperValue=0
    else
    HyperValue=$(($Siblings/$Cores))
    fi
    if [[ $HyperValue == 2 ]];then
    HyperThreading="True"
    else
    HyperThreading="False"
    fi
    UpTime=$(uptime | cut -d',' -f1 | cut -c 2-)
    LoadAverage=$(uptime | cut -d',' -f3,4,5 | cut -d':' -f2,3,4 | cut -c 2-)
    VGA=$(lspci | grep VGA | cut -d':' -f3 | cut -c 2-)
    if [ -f /proc/asound/modules ]; then
    SoundMod=$(grep -m 1 . /proc/asound/modules | cut -d' ' -f3)
    else
    SoundMod="Not Detected"
    fi
    if [[ $SoundMod == "" ]]; then
    SoundMod="Not Detected"
    fi
    if [ -f /proc/asound/version ]; then
    SoundDrv=$(cat /proc/asound/version)
    else
    SoundDrv="Not Detected"
    fi
    if [[ $SoundDrv == "" ]]; then
    SoundDrv="Not Detected"
    fi

    # Determine the Distro type and store results as Distro
    if [ -f /etc/release ]; then
    Distro=$(cat /etc/release)
    # mageia
    elif [ -f /etc/system-release ]; then
    Distro=$(cat /etc/system-release)
    # rhel
    elif [ -f /etc/slackware-version ]; then
    Distro=$(cat /etc/slackware-version)
    # slackware
    elif [ -f /etc/issue ]; then
    Distro=$(cat /etc/issue | cut -d' ' -f1,2,3)
    # debian / ubuntu
    fi

    # Check if the Nouveau Kernel driver is in use
    TestForNouveau=$(lspci -k | grep "Kernel driver in use: nouveau" \
    | awk '{print $5}')
    if [[ $TestForNouveau == "nouveau" ]]; then
    NouveauResults="Enabled"
    else
    NouveauResults="Blacklisted"
    fi

    TaintDescription()
    {
    # Describe Kernel Taint Status if Kernel is tainted
    TaintArray=(
    " 1 - A module with a non-GPL license has been loaded,
    this includes modules with no license.
    Set by modutils >= 2.4.9 and module-init-tools."
    " 2 - A module was force loaded by insmod -f.
    Set by modutils >= 2.4.9 and module-init-tools."
    " 4 - Unsafe SMP processors: SMP with CPUs not designed for SMP."
    " 8 - A module was forcibly unloaded from the system by rmmod -f."
    " 16 - A hardware machine check error occurred on the system."
    " 32 - A bad page was discovered on the system."
    " 64 - The user has asked that the system be marked tainted.
    This could be because they are running software that
    directly modifies the hardware, or for other reasons."
    " 128 - The system has died."
    " 256 - The ACPI DSDT has been overridden with one supplied by the
    user instead of using the one provided by the hardware."
    " 512 - A kernel warning has occurred."
    "1024 - A module from drivers/staging was loaded."
    "2048 - The system is working around a severe firmware bug."
    "4096 - An out-of-tree module has been loaded."
    )

    printf "%s\n" "Linux Kernel Taint Status Description"
    FWLine
    ix=0
    for Mask in 1 2 4 8 16 32 64 128 256 512 1024 2048 4096 ; do
    (($TaintStatus & $Mask)) && printf "%s\n\n" "${TaintArray[$ix]}"
    ((ix++))
    done
    }

    # Network info
    FQDN=$(hostname -f)
    DomainName=$(dnsdomainname)
    DomainIP=$(dig +short $DomainName | grep -m 1 [1,9])
    AssignedIP=$(ip route get 8.8.8.8 | awk 'NR==1 {print $7}')
    Gateway=$(ip route | grep default | cut -d' ' -f3)
    ExternalIP=$(curl -s icanhazip.com)
    ReverseLookup=$(dig +short -x $ExternalIP)
    MailExchange=$(dig +short $DomainName MX | grep -m 1 [10,50] \
    | awk '{print $2}')
    NameServer=$(dig +short $DomainName NS | grep -m 1 [1,9])
    DigForDNS=$(dig redhat.com | grep SERVER | cut -d'#' -f1 | cut -d' ' -f3)
    ISP=$(curl -s ipinfo.io/$ExternalIP/org)
    GeoCountry=$(curl -s ipinfo.io/$ExternalIP/country)
    GeoRegion=$(curl -s ipinfo.io/$ExternalIP/region)
    GeoCity=$(curl -s ipinfo.io/$ExternalIP/city)

    FWLine()
    {
    # draw line across screen
    printf "%*s\n" "${COLUMNS:-$(tput cols)}" '' | tr ' ' =
    }

    # print output
    printf "%*s\n" "${COLUMNS:-$(tput cols)}" "$(date)"
    printf "%*s\n" "${COLUMNS:-$(tput cols)}" "Version $Ver, released: $VDate"
    printf "%s\n" "User Info"
    FWLine
    printf "%s\n" " Hostnane: $HostName"
    printf "%s\n" " Full Name: $FullName"
    printf "%s\n" " User Name: $UserName"
    printf "%s\n" " UserID: $UserID"
    GetGroups
    printf "%s\n\n" " Home Dir: $HOME"
    printf "%s\n" "Environment Variables"
    FWLine
    printf "%s\n" " Term: $EnvTerm"
    printf "%s\n" " Term Size: $EnvCol x $EnvLines"
    printf "%s\n" " Shell: $EnvShell"
    printf "%s\n" " Language: $EnvLang"
    printf "%s\n" " News Server: $EnvNNTP"
    printf "%s\n\n" " Editor: $EnvEditor"
    printf "%s\n" "Machine Info"
    FWLine
    printf "%s\n" " Total Memory: $Mem"
    printf "%s\n" " Processor: $CPU"
    printf "%s\n" " CPU Cores: $Cores"
    printf "%s\n" " Siblings: $Siblings"
    printf "%s\n" " HyperThreading: $HyperThreading"
    printf "%s\n" " Distribution: $Distro"
    printf "%s\n" " Kernel Release: $KernelRelease"
    printf "%s\n" " Taint Status: $TaintResults"
    printf "%s\n" " Uptime: $UpTime"
    printf "%s\n" " Load Average: $LoadAverage"
    printf "%s\n" " VGA Adapter: $VGA"
    printf "%s\n" " Nouveau: $NouveauResults"
    printf "%s\n" " Sound Module: $SoundMod"
    printf "%s\n\n" " Sound Driver: $SoundDrv"

    # Kernel Taint Status Description
    if [ $TaintStatus != 0 ]; then
    TaintDescription
    fi

    printf "%s\n" "Network Info"
    FWLine
    printf "%s\n" " FQDN: $FQDN"
    printf "%s\n" " IP Address: $AssignedIP"
    printf "%s\n" " Gateway: $Gateway"
    printf "%s\n" " External IP: $ExternalIP"
    printf "%s\n" " Reverse Lookup: $ReverseLookup"
    printf "%s\n\n" " DNS: $DigForDNS"
    printf "%s\n" "Domain Info"
    FWLine
    printf "%s\n" " Domain Name: $DomainName"
    printf "%s\n" " Mail Exchange: $MailExchange"
    printf "%s\n\n" " NameServer: $NameServer"
    printf "%s\n" "Internet Service Provider"
    FWLine
    printf "%s\n" " Provider: $ISP"
    printf "%s\n" " Country: $GeoCountry"
    printf "%s\n" " Region: $GeoRegion"
    printf "%s\n\n" " City: $GeoCity"
    printf "%s\n" "Volume Info"
    FWLine
    df -hTP
    echo ""
     
    Marek Novotny, Aug 9, 2014
    #2
    1. Advertisements

  3. Marek Novotny wrote, on Sat, 09 Aug 2014 17:11:02 -0500:
    Curl is not on the "busybox" Linux of the Ubiquiti Rocket M2 radio:
    XM.v5.5.6# curl
    -sh: curl: not found

    But, its an interesting command for Linux, which seems to report your own
    IP address (as if you had gone to http://whatismyipaddress.com), which is
    nice to be able to get YOUR OWN ip address from the command line.
    I'll log into the Rocket M2 radio web interface and see if I can turn on
    all the logs that it can turn on.
    Unfortunately nmap isn't found either:
    XM.v5.5.6# nmap
    -sh: nmap: not found

    But, again, that's a nice Linux command!
    $ nmap -sn 192.168.1.0/24

    Starting Nmap 6.40 ( http://nmap.org ) at 2014-08-09 15:42 PDT
    Nmap scan report for 192.168.1.1
    Host is up (0.0051s latency).
    Nmap scan report for 192.168.1.2
    Host is up (0.029s latency).
    Nmap scan report for 192.168.1.4
    Host is up (0.000082s latency).
    Nmap scan report for 192.168.1.5
    Host is up (0.087s latency).
    Nmap scan report for 192.168.1.6
    Host is up (0.27s latency).
    Nmap scan report for 192.168.1.7
    Host is up (0.0052s latency).
    Nmap scan report for 192.168.1.20
    Host is up (0.013s latency).
    Nmap done: 256 IP addresses (7 hosts up) scanned in 10.26 seconds

    The linfo also was a good command, but it didn't seem to tell me the IP
    addresses connected to the router as the nmap command did.
     
    Clément Durand, Aug 10, 2014
    #3
  4. I'm reluctant to add anything that requires root to the script. I like
    it to be something anyone can use to gain some basic insights into the
    machine they are sitting on regardless of their permissions level.
     
    Marek Novotny, Aug 10, 2014
    #4
  5. Clément Durand wrote, on Sat, 09 Aug 2014 21:05:32 +0000:
    I'm surprised Jeff Liebermann hasn't responded, since he knows
    everything about setting up WiFi security, but, luckily, I *think*
    I have figured out one potential way to tell what the home broadband
    router IP address might be from the Ubiquiti AirOS command line.

    Assuming the rooftop antenna Rocket M2 is at IP 192.168.1.20 and the
    home broadband router connected to it by wire is at 192.168.1.1 ...

    $ ssh -l ubnt 192.168.1.20
    XM.v5.5.8#

    At that prompt, cat this file:
    XM.v5.5.8# cat /tmp/dhcpd.leases

    More often than not, that file seems to contain the IP address of the
    home broadband router which is connected to the rooftop transceiver.

    If you know of a *better* way to find the IP address of the router which
    is connected to your Ubiquiti AirOS device, please let me know.

    The router IP address will also be in the radio /proc/net/nf_conntrack
    file, so, I think we can grep for it using a syntax sort of like the following:

    XM.v5.5.8# grep 192.168.1. /proc/net/nf_conntrack
     
    Clément Durand, Aug 11, 2014
    #5
  6. Clément Durand wrote, on Sat, 09 Aug 2014 21:05:32 +0000:
    I wish Jeff Liebermann would weigh in, because I'm way out of my league
    here, but, the /proc/net/nf_conntrack (and /proc/net/ip_conntrack) file
    on the rooftop Ubiquiti Rocket M2 radio seems to be logging some sort of
    IP connections.

    Let's say a home has two PCs attached wirelessly to one home broadband
    router (192.168.1.1) which itself is attached by cat5 cable to the rooftop
    Ubiquiti Rocket M2 radio (192.168.1.20) which I can ssh into.

    Logging into port 22 (ssh) as user "ubnt" of that radio is as simple as:
    $ ssh -l ubnt -p 22 192.168.1.20

    Then, I'm at the "XM.v5.5.8#" prompt.

    From there, I *think* I can get the IP address of the home broadband router
    (if I didn't know it) by running "cat /tmp/dhcpd.leases".

    But, more importantly, I *think* I can get all the IP addresses that the
    two PCs are connecting to by running either of these two commands:

    # cat /proc/net/nf_conntrack (for ipv6)
    # cat /proc/net/ip_conntrack (for ipv4))

    Is that the easiest way to figure out what IP addresses are being connected
    to at any one time, while logged into the rooftop transceiver (i.e., modem)?
     
    Clément Durand, Aug 11, 2014
    #6
  7. I don't do security. I hate security. I'm also busy, lazy, bored,
    and playing with a few new toys and software. However, I don't have a
    Ubiquiti M2 handy to test my guesswork.

    Try:
    arp -a
    and see what it produces. You might get lucky.

    Also, play with iwlist and iwconfig to see if they show connected
    wireless devices (by MAC address).

    Otherwise, try a bash script that pings everything in your IP block.
    Something like this (untested):

    #!/bin/bash
    test_with_ping()
    {
    ping -c 1 $1 > /dev/null
    [ $? -eq 0 ] && echo $IP,UP
    [ $? -eq 1 ] && echo $IP,dn
    }

    for IP in 192.168.1.{1..254}
    do
    test_with_ping $IP & disown # run in background
    done

    Use "nohup" if your bash doesn't do "disown". To run 254 IP's, at
    about 1 second per IP, will take about 5 minutes. There's also no
    guarantee that the connected machine will respond to an ICMP ping
    request.

    Are you perhaps trying to build a network map from scratch? If so,
    there are network mapping tools that will do the heavy lifting for
    you.

    "Russia Bans Anonymous Access To Wi-Fi"
    <http://cellular-news.com/story/Regulatory/66778.php>
     
    Jeff Liebermann, Aug 11, 2014
    #7
  8. Jeff Liebermann wrote, on Mon, 11 Aug 2014 09:43:50 -0700:
    Hi Jeff,
    I had tried that. While "route" exists, "arp" is not installed on
    the default Ubiquiti Rocket M2 2.4GHz WiFi radio:
    $ ssh -l ubnt -p 22 192.168.1.20
    BusyBox v1.11.2 (2014-02-05 18:21:05 EET) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    XM.v5.5.8# arp
    -sh: arp: not found
    Both iwlist & iwconfig exist, so I will try to learn their syntax.
    I'm mainly trying to understand what's going on, by looking at
    whatever information is available to me as I log into the rooftop
    radio.

    Some of the key stuff I'm trying to figure out remotely is what
    IP addresses are connected to the home broadband router, and, what
    destination IP addresses those clients are attempting to visit.

    I think I have made headway on finding the home broadband router
    IP address by lookint at the /etc/dnsmasq.conf file.

    I think there's a ton of information about the destination IP
    addresses in the /proc/net/nf_conntrack file.

    Since there is so much IP information in the conntrack file, I'm
    now looking for a command-line method of querying the destination
    IP addresses found (some of which are suspiciously from China and
    Russia) in the conntrack file, to find out who they belong to.

    The one problem with the huge amount of IP data found in the
    conntrack file is that I can't tell which client device initiated
    the connection to those IP addresses.

    So, I have a long way to go ... but every bit of advice helps,
    and, I, for my part, will echo back what I've learned to the
    group by way of payback.
     
    Clément Durand, Aug 11, 2014
    #8
  9. Jeff Liebermann wrote, on Mon, 11 Aug 2014 09:43:50 -0700:
    I think I can figure out the IP addresses connected to the home broadband
    router by looking for src=192.168.1.XXX addresses in the previously
    mentioned /proc/net/nf_conntrack file.

    I did try the script on the Ubiquiti Rocket M2 2.5GHz radio, but, bash
    wasn't found (so I changed the shell to "ash") and neither "disown" nor
    "nohup" were found.

    The script did run, but it didn't output anything (so I need to debug it
    further).

    But, I think the main issue now is to glean all the information I need
    out of the /proc/net/nf_conntrack file because it *seems* to contain
    every IP address that goes in and out of the rooftop radio.

    While this is WISP, for people with DSL or cable, logging into that
    rooftop transceiver would be equivalent to logging into their modem.
     
    Clément Durand, Aug 11, 2014
    #9
  10. Clément Durand wrote, on Mon, 11 Aug 2014 19:46:01 +0000:
    Running iwconfig first, it tells me "ath0" is the NIC of interest:

    $ ssh 192.168.1.20 -l ubnt

    XM.v5.5.8# iwconfig
    lo no wireless extensions.
    eth0 no wireless extensions.
    eth1 no wireless extensions.
    wifi0 no wireless extensions.
    br0 no wireless extensions.
    ath0
    IEEE 802.11ng ESSID:"ROCKET_M2" Nickname:"Rocket_WiFi"
    Mode:Managed Frequency:2.417 GHz Access Point: 00:AF:00:BF:DA:48
    Bit Rate:104 Mb/s Tx-Power=26 dBm Sensitivity:0/0
    Retry:eek:ff RTS thr:eek:ff Fragment thr:eek:ff
    Encryption key:0922-02A0-4792-CBFA-A89F-1CDC
    Security mode:restricted
    Power Management:eek:ff
    Link Quality=40/94 Signal level=-56 dBm Noise level=-88 dBm
    Rx invalid nwid:7 Rx invalid crypt:0 Rx invalid frag:0
    Tx excessive retries:0 Invalid misc:0 Missed beacon:0

    Then, running "iwlist ath0", I find out some information.

    This looks like it gives me the local access points nearby:

    XM.v5.5.8# iwlist ath0 ap
    ath0 Peers/Access-Points in range:
    DA:8F:DC:14:E2:BC Quality=46/94 Signal level=-50 dBm Noise level=-96 dBm
    10:57:22:9F:AC:5E Quality=41/94 Signal level=-55 dBm Noise level=-88 dBm
    10:90:48:69:92:33 Quality=22/94 Signal level=-74 dBm Noise level=-88 dBm
    CC:C8:55:8C:6F:41 Quality=18/94 Signal level=-78 dBm Noise level=-88 dBm
    CA:8F:15:27:97:68 Quality=18/94 Signal level=-78 dBm Noise level=-96 dBm
    61:3A:4C:E5:B9:D1 Quality=16/94 Signal level=-80 dBm Noise level=-88 dBm
    91:72:4F:1F:91:1C Quality=16/94 Signal level=-80 dBm Noise level=-88 dBm
    15:80:4E:69:92:34 Quality=16/94 Signal level=-80 dBm Noise level=-88 dBm
    10:15:8D:AC:03:88 Quality=15/94 Signal level=-81 dBm Noise level=-88 dBm
    F1:D1:F9:12:9D:1E Quality=15/94 Signal level=-81 dBm Noise level=-88 dBm
    21:C9:80:F3:98:7C Quality=10/94 Signal level=-86 dBm Noise level=-88 dBm
    1B:12:C6:22:24:9F Quality=09/94 Signal level=-87 dBm Noise level=-88 dBm
    10:1C:63:2B:4F:47 Quality=09/94 Signal level=-87 dBm Noise level=-88 dBm
    F1:13:4E:10:35:4F Quality=09/94 Signal level=-87 dBm Noise level=-88 dBm
    18:0F:C3:F3:D0:66 Quality=07/94 Signal level=-89 dBm Noise level=-96 dBm
    1A:23:87:1C:F7:17 Quality=07/94 Signal level=-89 dBm Noise level=-96 dBm

    This seems to list the rooftop radio transmit power:
    XM.v5.5.8# iwlist ath0 txpower
    ath0 8 available transmit-powers :
    10 dBm (10 mW)
    16 dBm (39 mW)
    18 dBm (63 mW)
    20 dBm (100 mW)
    22 dBm (158 mW)
    24 dBm (251 mW)
    26 dBm (398 mW)
    28 dBm (630 mW)
    Current Tx-Power=24 dBm (251 mW)

    This seems to scan for all the WiFi routers in the vicinity of the rooftop
    radio:
    XM.v5.5.8# iwlist ath0 scanning
    It lists dozens of "cells", here's just one example:
    Cell 02 - Address: 00:A0:55:AC:83:2A
    ESSID:"Netgear"
    Mode:Master
    Frequency:2.417 GHz (Channel 2)
    Quality=15/94 Signal level=-81 dBm Noise level=-88 dBm
    Encryption key:eek:n
    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
    9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
    48 Mb/s; 54 Mb/s
    Extra:bcn_int=100
    IE: IEEE 802.11i/WPA2 Version 1
    Group Cipher : TKIP
    Pairwise Ciphers (2) : CCMP TKIP
    Authentication Suites (1) : PSK
    Extra:mtik_ie=really long number

    In summary, these two commands (iwconfig & iwlist) are interesting,
    as they provide information about signal strengths of nearby
    access points, none seem to tell me which PCs are attached to the
    home broadband router, nor what destination IP addresses those
    devices are going to.

    Nice commands otherwise!
     
    Clément Durand, Aug 11, 2014
    #10
  11. Try:
    cat /proc/net/arp
    or:
    ip neigh show dev br0
    br0 might be eth0 or something else if your M2 is setup as a router.
    One must suffer before enlightenment.
    I usually use SNMP in the router in order to get that info.
    If (and only if) your Ubiquiti is setup as a bridge, you can sniff the
    traffic between the wireless bridge and the router (on the router WAN
    port), and get the same information. Insert a HUB (not a SWITCH)
    between the Ubiquiti M2 and your unspecified router. Add a PC running
    WireShark or your favorite sniffer software, and you should get
    something useable.

    You can also sniff just the HTTP traffic with:
    <http://www.nirsoft.net/utils/http_network_sniffer.html>
    Take a good look at Nir Sofer's tools. They're quite useful:
    Go thee unto Google at:
    https://www.google.com
    Inscribe into the designated search box the words of empowerment:
    "what is my IP"
    Through the magic of Google, your WAN IP address will be displayed.
    Dunno. I don't have any Ubiquiti hardware handy to test it.
    Learn by destroying, which means that if you haven't broken something,
    you don't really understand how it works.

    <http://www.darkreading.com/applicat...k-discovery-and-mapping-tools/d/d-id/1141182>

    Now, go away so I can get some paying work done.
     
    Jeff Liebermann, Aug 12, 2014
    #11
  12. Clément Durand

    miso Guest

    On my desktop, I run zenmap, which is a gui version of nmap. Familiarize
    yourself with zenmap on your lan. Once you know how it works, you can just
    copy the nmap commands that it issues. They are displayed by the program.
     
    miso, Aug 12, 2014
    #12
  13. Jeff Liebermann wrote, on Mon, 11 Aug 2014 16:19:40 -0700:
    Thanks for your help. I do appreciate it.
    Since the documentation on interpreting the nf_conntrack file
    was so dismal, I wrote my own documentation, from many sources.

    Here is it, as payback, for all the help from others.

    Here's my first attempt at an interpretation of a sample line from my nf_conntrack file:

    ipv4 2 tcp 6 56808 ESTABLISHED src=72.167.183.54 dst=69.63.240.15 sport=80 dport=49437 [UNREPLIED] src=69.63.240.15 dst=72.167.183.54 sport=49437 dport=80 mark=0 use=2
    My interpretation:
    An ESTABLISHED TCP connection from source host 72.167.183.54, port 80
    To destination host 69.63.240.15, port 49437
    From which responses are sent to host 72.167.183.54, port 49437
    Timing out in 56808 seconds (i.e., more than 15 hours)
    UNREPLIED means traffic hasn't been seen in the response direction yet
    In addition, the:
    Network layer protocol name is ipv4
    Network layer protocol number is 2
    Transmission layer protocol name is tcp
    Transmission layer protocol number is 6
    Seconds until the entry is invalidated is 56808 (i.e., more than 15 hours)


    Here is another attempt at interpreting an example from my nf_conntrack log file:

    ipv4 2 icmp 1 16 src=142.28.53.15 dst=10.50.0.241 type=8 code=0 id=39196 src=10.50.0.241 dst=142.28.53.15 type=0 code=0 id=39196 mark=0 use=2
    My interpretation:
    An ICMP echo request packet from source host 142.28.53.15
    To destination host 10.50.0.241
    With an expected echo reply packet from source hosts 10.50.0.241
    To destination host 142.28.53.15
    Timing out in 16 seconds
    In addition, the:
    Network layer protocol name is ipv4
    Network layer protocol number is 2
    Transmission layer protocol name is icmp
    Transmission layer protocol number is 1
    Seconds until the entry is invalidated is 16 seconds


    It seems both ip_conntrack & nf_conntrack are similar in format, where nf_conntrack simply has two extra columns at the beginning of each line, so this list below attempts to describe the first six nf_conntrack columns, as I understand them:

    1. Network layer protocol name (e.g., ipv4)
    2. Network layer protocol number (e.g., 2)
    3. Transmission layer protocol name (e.g., tcp)Transmission layer protocol number (e.g., 6)
    4. Seconds until the entry is invalidated (e.g., 75114)
    5. The connection state (e.g., ESTABLISHED, but this is not always there for all protocols)

    It seems that the #5 connection state can be any of the following:

    DCCP

    CLOSEREQ
    CLOSING
    IGNORE
    INVALID
    NONE
    OPEN
    PARTOPEN
    REQUEST
    RESPOND
    TIME_WAIT

    SCTP

    CLOSED
    COOKIE_ECHOED
    COOKIE_WAIT
    ESTABLISHED <== many of mine were this
    NONE
    SHUTDOWN_ACK_SENT
    SHUTDOWN_RECD
    SHUTDOWN_SENT

    TCP

    CLOSE
    CLOSE_WAIT
    ESTABLISHED
    FIN_WAIT
    LAST_ACK
    NONE
    SYN_RECV
    SYN_SENT
    SYN_SENT2
    TIME_WAIT <== many of mine were this

    The rest of the columns are apparently either of the format KEY=VALUE or they represent FLAGs.

    KEY=VALUE examples:

    src=123.456.789.001
    dst=123.456.789.002
    sport=80 (tcp & udp only)
    dport=54259 (tcp & udp only)
    mark=0 (if CONFIG_NF_CONNTRACK_MARK is enabled)
    use=2
    type=0 (for icmp only)
    code=0 (for icmp only)
    id=39196 (for icmp only)
    bytes (if accounting is enabled)
    delta-time (if CONFIG_NF_CONNTRACK_TIMESTAMP is enabled)
    packets (if accounting is enabled, request and response)
    secctx (if CONFIG_NF_CONNTRACK_SECMARK is enabled)
    zone (if CONFIG_NF_CONNTRACK_ZONES is enabled)

    Note that the response destination host can differ from the request source host when the request source address has been masqueraded by the response destination host.

    FLAG examples:

    [ASSURED]: Traffic has been seen in both directions (request & response)
    [UNREPLIED]: Traffic has not been seen in the response direction yet
     
    Clément Durand, Aug 12, 2014
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.