Sunday, January 28, 2007

Built myself a packet sniffer

I had an old Pentium IV 2.0Ghz sitting around with 256Mb of broken RAM and after pondering what to do with it, I decided to build a packet sniffer. I got the machine very cheap ($20) because it's previous owner couldn't understand why it kept crashing. Running memtest86 found problems with the 0x0105cxxx addresses so I decided to stick a copy of Fedora Core 6 on it and add the BadRAM patch (http://rick.vanrein.org/linux/badram/) - which was harder than expected. I tried installing with a 'mem' limit under the threshold (about 80Mb), but it wouldn't install, so I ended up pinching some working memory out of a different system to build it. Building the kernel RPM took a long time and I think the BadRAM patches conflict with some of the others in the Fedora SPEC file as I had to manually tweak one of the files between the prep and build stage to get it to work. I'll dig deeper next time Fedora release an SRPM for the kernel.

Anyway, I eventually got the kernel build and installed with the BadRAM parameters set correctly (so now I have 256Mb-12kb memory available) and it runs like a charm. I put a couple of extra NICs in the machine, installed Wireshark/ntop and then stuck it between my Cablemodem and my WRT-54GS to see what was coming over the wire. I left Wireshark capturing packets overnight to find out and the answer is - a lot of ARP packets. I got 60Mb of them and very little else sent over my cable modem in 8 hours. The next step is to work out why....

No comments: