I'm trying to setup a experimental wireless IDS system.  The problem I'm having is that I must be able to follow wireless clients via their MAC address.  Currently I only see mac addresses of eth0, and wlan0

I've the follwing working on openwrt latest trunk

network    (gateway to network)
                      ^
                      |
openwrt  [ (wlan0) <- + -> (eth0) - - -> (eth1) ]
                                         |
                                         |
network monitor                          \-> (ids) (192.168.5.5)

The IDS box is fed forwarded traffic vi iptables:

iptables -A PREROUTING -t mangle -f TEE --gw 192.168.5.5

Traffic is being monitored on the ids via wireshark.

Any suggestions on how to keep the wireless mac address intact all the way to the IDS?  (ebtables?)

Thanks

(Last edited by smalltime on 14 Sep 2010, 03:45)

That is only possible on the AP itself, the 802.11 protocol has some limitations that make it more or less impossible.
See http://wiki.openwrt.org/doc/howto/clien … ode.issues for a short explaination.

Thanks for the link it describes the problem I'm trying to solve.   I'm looking into to ARP-NAT as a alternative.  (the hardware I'm using is running on Atheros 71xxx )

I'm hoping that I''m not trying to do the impossible as all on one piece of hardware running OpenWRT.   The AP is running on openwrt, so I should have access to the client mac addresses from both directions:

Packet from client to external network

[ wireless client  ]                          [   client packet]  
[ packet from addr ] ---  >   openwrt  -- >   [    w/ addr     ]  ->to-> Internet
[ 00:11:22:33:44.. ]             |            [ ...dont care.. ]
                                 |
                                 \/
                                Tap  
                        [   client packet  ] 
                        [    w/ addr       ] 
                        [ 00:11:22:33:44.. ]

Packet to client from external Internet:

[  wireless client   ]                       [  client packet ]  
[   packet for addr  ] <---    openwrt  <--  [  for addr      ]  <- from Internet
[ 00:11:22:33:44..   ]           |           [ ...dont care.. ]
                                 |
                                 \/
                                Tap  
                        [   client packet   ] 
                        [    to client addr ] 
                        [ 00:11:22:33:44..  ]

I have the above working well, except the mac addresses are from the mac address of the wireless card on openwrt.

OpenWrt / How to find the number of Wifi Client through SNMP ??!!

I've made some progress in the network monitoring tcpdump now sees HALF of the required network traffic.

The setup consists of the following

Hardware:
     rb433 (uses IP175C switch chip)

Network Configuration

     openwrt eth0 = 10.0.0.100 ( from isp side, via dhcp )
     openwrt br-lan = 192.168.1.1 (internal side)

     network monitor = 192.168.1.5 (machine with tcpdump on eth1)
     wireless client = 192.168.1.100 (machine to watch)

     br-lan has wlan0 and eth1

I found out that shortly after I enter the following command I start seeing the response to any commands from the wireless client.

# brctl setageing 0

I'm not sure why I'm only seeing half the traffic.  Any ideas how to see Packet from client to external network??

thanks

small

Run "opkg install snmpd"

Append to /etc/config/snmpd:

config exec
    option execname    assoclist
    option prog    '/usr/sbin/wlanconfig'
    option args    'ath0 list sta'
#    option miboid    '.1.3.6.1.4.1.2021.8.1'    #found under .iso.org.dod.internet.private.enterprises

Insert to /etc/init.d/snmpd:

snmpd_exec_add() {
    local cfg="$1"

    config_get execname "$cfg" execname
    [ -n "$execname" ] || return 0
    config_get prog "$cfg" prog
    [ -n "$prog" ] || return 0
    config_get args "$cfg" args
    config_get miboid "$cfg" miboid
    echo "exec $miboid $execname $prog $args" >> $RUN_C
}

and

    config_foreach snmpd_exec_add exec

Run "/etc/init.d/snmpd start"

Run "snmpwalk -c public -v 1 192.168.1.1 .1.3.6.1.4.1.2021.8.1" at the network monitor.

You probably want to change "/usr/sbin/wlanconfig" with a script under /etc/snmp to form a pure STA list.

OpenWrt / openwrt without UCI
/packages/libs/net-snmp/files/snmpd.init – OpenWrt (old)
/packages/net/net-snmp/files/snmpd.init – OpenWrt (new)
/packages/net/net-snmp/files/snmpd.conf – OpenWrt (example)
Le blog du petit geek malin ;-) SNMP OIDs for OpenWrt

/etc/config/snmpd

config exec
    option execname    wlassoclist
    option prog    /etc/snmp/wlassoclist
    option args    ""
#    option miboid    '.1.3.6.1.4.1.2021.8.1.101.1'    #UCD-SNMP-MIB::extOutput.1

/etc/snmp/wlassoclist

#!/bin/sh
/usr/sbin/wlanconfig ath0 list sta | awk '{ print $1 }'

Run "chmod +x /etc/snmp/wlassoclist"

Run "snmpwalk -c public -v 1 192.168.1.1 extOutput.1" at the network monitor.

The output should look like:

UCD-SNMP-MIB::extOutput.1 = STRING: ADDR
00:11:22:33:44:55
00:11:22:33:44:66