Re: How to get a list of IP addresses connected to a WISP home broadband router?

I wish Jeff Liebermann would weigh in, because I'm way out of my league here, but, the /proc/net/nf_conntrack (and /proc/net/ip_conntrack) file on the rooftop Ubiquiti Rocket M2 radio seems to be logging some sort of IP connections.

Let's say a home has two PCs attached wirelessly to one home broadband router (192.168.1.1) which itself is attached by cat5 cable to the rooftop Ubiquiti Rocket M2 radio (192.168.1.20) which I can ssh into.

Logging into port 22 (ssh) as user "ubnt" of that radio is as simple as: $ ssh -l ubnt -p 22 192.168.1.20

Then, I'm at the "XM.v5.5.8#" prompt.

From there, I *think* I can get the IP address of the home broadband router (if I didn't know it) by running "cat /tmp/dhcpd.leases".

But, more importantly, I *think* I can get all the IP addresses that the two PCs are connecting to by running either of these two commands:

# cat /proc/net/nf_conntrack (for ipv6) # cat /proc/net/ip_conntrack (for ipv4))

Is that the easiest way to figure out what IP addresses are being connected to at any one time, while logged into the rooftop transceiver (i.e., modem)?

I don't do security. I hate security. I'm also busy, lazy, bored, and playing with a few new toys and software. However, I don't have a Ubiquiti M2 handy to test my guesswork.

Try: arp -a and see what it produces. You might get lucky.

Also, play with iwlist and iwconfig to see if they show connected wireless devices (by MAC address).

Otherwise, try a bash script that pings everything in your IP block. Something like this (untested):

#!/bin/bash test_with_ping() { ping -c 1 $1 > /dev/null [ $? -eq 0 ] && echo $IP,UP [ $? -eq 1 ] && echo $IP,dn }

for IP in 192.168.1.{1..254} do test_with_ping $IP & disown # run in background done

Use "nohup" if your bash doesn't do "disown". To run 254 IP's, at about 1 second per IP, will take about 5 minutes. There's also no guarantee that the connected machine will respond to an ICMP ping request.

Are you perhaps trying to build a network map from scratch? If so, there are network mapping tools that will do the heavy lifting for you.

"Russia Bans Anonymous Access To Wi-Fi"

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
Santa Cruz CA 95060 http://802.11junk.com 
Skype: JeffLiebermann     AE6KS    831-336-2558

Jeff Liebermann wrote, on Mon, 11 Aug 2014 09:43:50 -0700:

Hi Jeff, I had tried that. While "route" exists, "arp" is not installed on the default Ubiquiti Rocket M2 2.4GHz WiFi radio: $ ssh -l ubnt -p 22 192.168.1.20 BusyBox v1.11.2 (2014-02-05 18:21:05 EET) built-in shell (ash) Enter 'help' for a list of built-in commands. XM.v5.5.8# arp

-sh: arp: not found

Both iwlist & iwconfig exist, so I will try to learn their syntax.

I'm mainly trying to understand what's going on, by looking at whatever information is available to me as I log into the rooftop radio.

Some of the key stuff I'm trying to figure out remotely is what IP addresses are connected to the home broadband router, and, what destination IP addresses those clients are attempting to visit.

I think I have made headway on finding the home broadband router IP address by lookint at the /etc/dnsmasq.conf file.

I think there's a ton of information about the destination IP addresses in the /proc/net/nf_conntrack file.

Since there is so much IP information in the conntrack file, I'm now looking for a command-line method of querying the destination IP addresses found (some of which are suspiciously from China and Russia) in the conntrack file, to find out who they belong to.

The one problem with the huge amount of IP data found in the conntrack file is that I can't tell which client device initiated the connection to those IP addresses.

So, I have a long way to go ... but every bit of advice helps, and, I, for my part, will echo back what I've learned to the group by way of payback.

Jeff Liebermann wrote, on Mon, 11 Aug 2014 09:43:50 -0700:

I think I can figure out the IP addresses connected to the home broadband router by looking for src=192.168.1.XXX addresses in the previously mentioned /proc/net/nf_conntrack file.

I did try the script on the Ubiquiti Rocket M2 2.5GHz radio, but, bash wasn't found (so I changed the shell to "ash") and neither "disown" nor "nohup" were found.

The script did run, but it didn't output anything (so I need to debug it further).

But, I think the main issue now is to glean all the information I need out of the /proc/net/nf_conntrack file because it *seems* to contain every IP address that goes in and out of the rooftop radio.

While this is WISP, for people with DSL or cable, logging into that rooftop transceiver would be equivalent to logging into their modem.

Running iwconfig first, it tells me "ath0" is the NIC of interest:

$ ssh 192.168.1.20 -l ubnt

XM.v5.5.8# iwconfig lo no wireless extensions. eth0 no wireless extensions. eth1 no wireless extensions. wifi0 no wireless extensions. br0 no wireless extensions. ath0 IEEE 802.11ng ESSID:"ROCKET_M2" Nickname:"Rocket_WiFi" Mode:Managed Frequency:2.417 GHz Access Point: 00:AF:00:BF:DA:48 Bit Rate:104 Mb/s Tx-Power=26 dBm Sensitivity:0/0 Retry:off RTS thr:off Fragment thr:off Encryption key:0922-02A0-4792-CBFA-A89F-1CDC Security mode:restricted Power Management:off Link Quality=40/94 Signal level=-56 dBm Noise level=-88 dBm Rx invalid nwid:7 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Then, running "iwlist ath0", I find out some information.

This looks like it gives me the local access points nearby:

XM.v5.5.8# iwlist ath0 ap ath0 Peers/Access-Points in range: DA:8F:DC:14:E2:BC Quality=46/94 Signal level=-50 dBm Noise level=-96 dBm 10:57:22:9F:AC:5E Quality=41/94 Signal level=-55 dBm Noise level=-88 dBm 10:90:48:69:92:33 Quality=22/94 Signal level=-74 dBm Noise level=-88 dBm CC:C8:55:8C:6F:41 Quality=18/94 Signal level=-78 dBm Noise level=-88 dBm CA:8F:15:27:97:68 Quality=18/94 Signal level=-78 dBm Noise level=-96 dBm 61:3A:4C:E5:B9:D1 Quality=16/94 Signal level=-80 dBm Noise level=-88 dBm 91:72:4F:1F:91:1C Quality=16/94 Signal level=-80 dBm Noise level=-88 dBm 15:80:4E:69:92:34 Quality=16/94 Signal level=-80 dBm Noise level=-88 dBm 10:15:8D:AC:03:88 Quality=15/94 Signal level=-81 dBm Noise level=-88 dBm F1:D1:F9:12:9D:1E Quality=15/94 Signal level=-81 dBm Noise level=-88 dBm 21:C9:80:F3:98:7C Quality=10/94 Signal level=-86 dBm Noise level=-88 dBm 1B:12:C6:22:24:9F Quality=09/94 Signal level=-87 dBm Noise level=-88 dBm 10:1C:63:2B:4F:47 Quality=09/94 Signal level=-87 dBm Noise level=-88 dBm F1:13:4E:10:35:4F Quality=09/94 Signal level=-87 dBm Noise level=-88 dBm 18:0F:C3:F3:D0:66 Quality=07/94 Signal level=-89 dBm Noise level=-96 dBm 1A:23:87:1C:F7:17 Quality=07/94 Signal level=-89 dBm Noise level=-96 dBm

This seems to list the rooftop radio transmit power: XM.v5.5.8# iwlist ath0 txpower ath0 8 available transmit-powers : 10 dBm (10 mW) 16 dBm (39 mW) 18 dBm (63 mW) 20 dBm (100 mW) 22 dBm (158 mW) 24 dBm (251 mW) 26 dBm (398 mW) 28 dBm (630 mW) Current Tx-Power=24 dBm (251 mW)

This seems to scan for all the WiFi routers in the vicinity of the rooftop radio: XM.v5.5.8# iwlist ath0 scanning It lists dozens of "cells", here's just one example: Cell 02 - Address: 00:A0:55:AC:83:2A ESSID:"Netgear" Mode:Master Frequency:2.417 GHz (Channel 2) Quality=15/94 Signal level=-81 dBm Noise level=-88 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s Extra:bcn_int=100 IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : CCMP TKIP Authentication Suites (1) : PSK Extra:mtik_ie=really long number

In summary, these two commands (iwconfig & iwlist) are interesting, as they provide information about signal strengths of nearby access points, none seem to tell me which PCs are attached to the home broadband router, nor what destination IP addresses those devices are going to.

Nice commands otherwise!

Try: cat /proc/net/arp or: ip neigh show dev br0 br0 might be eth0 or something else if your M2 is setup as a router.

One must suffer before enlightenment.

I usually use SNMP in the router in order to get that info. If (and only if) your Ubiquiti is setup as a bridge, you can sniff the traffic between the wireless bridge and the router (on the router WAN port), and get the same information. Insert a HUB (not a SWITCH) between the Ubiquiti M2 and your unspecified router. Add a PC running WireShark or your favorite sniffer software, and you should get something useable.

You can also sniff just the HTTP traffic with: Take a good look at Nir Sofer's tools. They're quite useful:

Go thee unto Google at:

Inscribe into the designated search box the words of empowerment: "what is my IP" Through the magic of Google, your WAN IP address will be displayed.

Dunno. I don't have any Ubiquiti hardware handy to test it.

Learn by destroying, which means that if you haven't broken something, you don't really understand how it works.

Now, go away so I can get some paying work done.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
Santa Cruz CA 95060 http://802.11junk.com 
Skype: JeffLiebermann     AE6KS    831-336-2558

Jeff Liebermann wrote, on Mon, 11 Aug 2014 16:19:40 -0700:

Thanks for your help. I do appreciate it. Since the documentation on interpreting the nf_conntrack file was so dismal, I wrote my own documentation, from many sources.

Here is it, as payback, for all the help from others.

Here's my first attempt at an interpretation of a sample line from my nf_conntrack file:

ipv4 2 tcp 6 56808 ESTABLISHED src=72.167.183.54 dst=69.63.240.15 sport=80 dport=49437 [UNREPLIED] src=69.63.240.15 dst=72.167.183.54 sport=49437 dport=80 mark=0 use=2 My interpretation: An ESTABLISHED TCP connection from source host 72.167.183.54, port 80 To destination host 69.63.240.15, port 49437 From which responses are sent to host 72.167.183.54, port 49437 Timing out in 56808 seconds (i.e., more than 15 hours) UNREPLIED means traffic hasn't been seen in the response direction yet In addition, the: Network layer protocol name is ipv4 Network layer protocol number is 2 Transmission layer protocol name is tcp Transmission layer protocol number is 6 Seconds until the entry is invalidated is 56808 (i.e., more than 15 hours)

Here is another attempt at interpreting an example from my nf_conntrack log file:

ipv4 2 icmp 1 16 src=142.28.53.15 dst=10.50.0.241 type=8 code=0 id=39196 src=10.50.0.241 dst=142.28.53.15 type=0 code=0 id=39196 mark=0 use=2 My interpretation: An ICMP echo request packet from source host 142.28.53.15 To destination host 10.50.0.241 With an expected echo reply packet from source hosts 10.50.0.241 To destination host 142.28.53.15 Timing out in 16 seconds In addition, the: Network layer protocol name is ipv4 Network layer protocol number is 2 Transmission layer protocol name is icmp Transmission layer protocol number is 1 Seconds until the entry is invalidated is 16 seconds

It seems both ip_conntrack & nf_conntrack are similar in format, where nf_conntrack simply has two extra columns at the beginning of each line, so this list below attempts to describe the first six nf_conntrack columns, as I understand them:

1. Network layer protocol name (e.g., ipv4)
2. Network layer protocol number (e.g., 2)
3. Transmission layer protocol name (e.g., tcp)Transmission layer protocol number (e.g., 6)
4. Seconds until the entry is invalidated (e.g., 75114)
5. The connection state (e.g., ESTABLISHED, but this is not always there for all protocols)

It seems that the #5 connection state can be any of the following:

DCCP

CLOSEREQ CLOSING IGNORE INVALID NONE OPEN PARTOPEN REQUEST RESPOND TIME_WAIT

SCTP

CLOSED COOKIE_ECHOED COOKIE_WAIT ESTABLISHED