Monitor All Traffic?

[iphonogasm]

ok hi, im using microsoft network monitor to monitor packets and active connections etc, but ive got a feeling its missing alot of traffic. I need it to monitor all incomming and outgoing traffic through the router.

Below is an image of my current setup.

View attachment 169

Say a connection to 192.168.0.15 on the red line came in, the server would not monitor the traffic to it.

So i was thinking, maybe i need to intercept the traffic alltogeather as there is not an option in microsoft network monitor to listen on a specific host (192.168.0.1)

so something like this...

View attachment 170

Please give some comments on this

Thanks!!

 

[ICTCity]

Because of you have a SWITCH, you cannot monitor all the traffic.

There are 2 solutions:

1) What you have said: put your server as a "bridge" with two NICs and monitor ALL THE TRAFFIC WHICH IS GOING TO THE ROUTER, NOT to all other devices. So, if PC 1 communicates with PC 2, you cannot see anything.

2) Check if you switch supports PORT MIRRORING. If yes, enable it on a port of the switch, then plug in a cable from that port to your server and now you can really monitor ALL the traffic which is travelling on your network.

 

[iphonogasm]

ok i think ill go for a second NIC. how would i configure the NICs as far as TCP/IP?

Thanks

 

[ICTCity]

Again, there are two ways:

If you have Windows installed, you can simply add the router role and assign one NIC to internal and the other to external.

If you want a transparent bridge, well, you must switch on a linux distro (there are many).

 

[iphonogasm]

so if i make the one NIC internal and the other NIC external, it would be

NIC 1 (Current) 192.168.0.2 gateway 192.168.0.1
NIC 2 (outgoing traffic) 192.168.0.3 gateway 192.168.0.1 and set it to external

??

Thanks

 

[ICTCity]

When you add the router role, Windows Server should set up parameters for you...

Anyway, you can also create a transparent bridge. Select the two interfaces, right click and then select BRIDGE. Now you server will auto move connection from nic 1 to 2 and viceversa. From there, you can "spy" with wireshark. I think this is the best setup

 

[iphonogasm]

ok so this has been unsucessful.

i just installed a second NIC. and now i have a second problem. The NIC has DISAPPEARED altogeather. I have searched and searched for a solution on this isssue and found absolutely nothing. The NIC has just disappeared altogeather from Device Manager and all.

Just after i installed the second NIC, it worked fine, connected the router to the new NIC, and from the onboard to the switch, then in Network Connections, selected both network connections and right clicked, "Bridge Connections". And with both NICs setup with Static details, i could not ping either connections after the bridge was setup.

then the new NIC just disappeared,

so my issues now are,

1. The new NIC has just disappeared completely, not in device manager or anywhere,
2. The bridge didnt work?

i had the new NIC "Network Connection 2 IN" connected to to the router
IP: 192.168.0.3
Mask: 255.255.255.0
Gateway: 192.168.0.1

and the onboard "Local Connection 1 OUT" connected to the switch. which is the internet connection outgoing from the server
IP: 192.168.0.2
Mask: 255.255.255.0
Gateway: 192.168.0.1


Thanks for the help!

 

[ICTCity]

Once you have bridged the connection, you must right click on your bridge and assign an IP.

The bridge hide all the NICs involved in this process.

 

[iphonogasm]

haha yes i figured this out, ive never done a bridge before so i got that one, haha. EASY!

one problem has come up, my VPNs have stopped working now. It appears i can connect fine from my phone but my LAPTOP is bringing up error 800 "Attempted VPN tunnels failed"

Even if i have a static range set in the RRAS properties for dial in clients, it wont accept connections??

also, in the picture below i see heaps of leases for RRAS, what are they for??

View attachment 172

im trying to add exclusions to my scope as i have lots of static stuff configured aswell, and if im correct im pretty sure DHCP is dumb and will issue an ip address even if it is already statically assigned? am i correct

therefor, i am trying to add exclusions. My DHCP scope is 192.168.0.11 >> 192.168.0.200 and im trying to add exclusions for 192.168.0.1 >> 192.168.0.10 and 192.168.0.201 >> 192.168.0.254 but when attempting to add them it says "The IP address range is not a subnet of the overall range"

any ideas?

Thanks for answering my questions

 

[ICTCity]

I think you cannot establish a VPN connection via a bridged network... I mean, I know you can create two VPN connections and THEN bridge, but from 2 bridged interfaces I think you can't VPN.

I have to think a bit of this, but I'm pretty sure I'm right.

 

[iphonogasm]

ok, what about all those DHCP leases? and is there a way to view wat has been setup statically? also i cant add exclusions.

Thanks

 

[ICTCity]

The point is that RAS assign an IP number before the connection is initiated. That means you should add exclusions in your DHCP server or better, assign a range.

Now, when you set up DHCP server, it uses an interface that now is anymore there. You could try to remove the role and re-add with the new interface... maybe this could help.

 

[iphonogasm]

haha i just realised the damn exclusion range is not even in the DHCP address pool. Therefor im guessing there no need to add the exclusions for those ranges as thyre not even in the scope. IDIOT!!! HAHA

a quick question, can i have multiple logins on one account on a VPN, and from the same destination address

ie. can i logon as Administrator and from 122.61.356.213 from two computers??

Im guessing not, just to clarify.

Thanks

 

[ICTCity]

No you can't.

It's like (more or less) RDP, when you login with one user, you cannot login with the same user at the same time on another location.