[Winpcap-users] use of winpcap with PLC net
Jean-Luc Pamart
jlpamart at yahoo.fr
Tue Jan 29 16:32:24 GMT 2008
Thank you for your answers.
I try to capture some traffic from a PLC/USB node at the very beginning
of the power on of another PLC/USB device.
Like usual I see brodcast traffic, traffic from ant to my node but *in
unicast, nothing concerning the other station*.
I am now sure that the PLC/brigdes can't be listen with winpcap. I think
also that it's the case of all the sniffers acting at Ethernet level.
HOMEPLUG uses different channels and "private channels" for unicast traffic.
2 conséquences :
1/ HOMEPLUG nets are well protected (and even with the default HomePlug
key your neighbour can't see all the traffic)
2/ it would be very expensive to listen HOMEPLUG nets (perhaps CIA could !)
Guy Harris a écrit :
> Jean-Luc Pamart wrote:
>
>> Very important : at the very beginning (when the PLC/ETH bridges are
>> powered) they are obliged to pass all the traffic on the PLC "bus ".
>> So if winpcap is here => we can see this beginning traffic. Am I right ?
>
> *If* the bridges work that way (i.e., they start up in "pass all
> traffic" mode), yes, you would presumably see all traffic on your
> power wiring until the bridge "learns" the MAC address of the machine
> doing the capturing - and if you run Wireshark on a machine that
> *never* transmits any packets on its Ethernet interface (that might be
> hard to make happen), the bridge would presumably remain in that mode.
>
>>> That might be worth trying. With a USB adapter, there might be
>>> commands for the "Communications and CDC control" USB device class
>>> to put the adapter into promiscuous mode, and that might cause the
>>> adapter to capture all traffic on your power wires.
>>
>> Ok, I'll try that. But I have a doubt : perhaps PLC bridge hasn't the
>> capability to pass in promiscuous mode (desperate)
>> I hace found this document :
>> http://www.cnel.ufl.edu/~kkale/5718files/projReport.doc
>> <http://www.cnel.ufl.edu/%7Ekkale/5718files/projReport.doc>
>>
>> an extract :
>>
>> MAC Level Bridging
>> In the HomePlug Network System bridging is
>> accomplished by source-aware bridging. There are
>> two types of bridging prevalent in networks. One is
>> transparent bridging while the other is source – aware
>> bridging.
>> While both use MAC level addressing, in transparent
>> bridging the bridge gradually learns the addresses of
>> the various stations and stores them in a forwarding
>> table. It usually makes use of a spanning tree
>> algorithm to avoid loops. Transparent bridging
>> requires “promiscuous” reception of frames by the
>> bridge. Powerline, because of its unstable nature
>> requires the use of acknowledgements, which
>> becomes an issue when combined with “promiscuous
>> reception”. As acknowledgements occur while the
>> station is considered active on the channel, they are
>> required to be given special consideration.
>> In source-aware bridging the bridge is addressed as an
>> individual address in itself. Its address is mentioned
>> directly in the frame header. The bridge proxy is
>> obtained at the same time as when the station
>> performs the initial channel estimation and obtains
>> tone mapping.
>
> I'm not sure what type of bridging they're talking about. They seem
> to be talking about bridging between two networks, both of which have
> multiple stations on them. A simple bridge to let you plug a computer
> with an Ethernet into a HomePlug network has only one station on the
> Ethernet, although I guess if you plug that simple bridge into a hub
> or into the port on a switch used for forwarding traffic to other
> switches, it acts as a full-blown bridge.
>
> It sounds as if the bridges have their own MAC addresses; I presume
> the "bridge proxy" works by having the bridges, when they see an ARP
> request (or, at least, a broadcast ARP request) on the HomePlug
> network, forward the ARP request to the Ethernet, and, if they receive
> a reply from the host whose MAC address appears in the reply, replace
> that MAC address with their own MAC address, so that other stations on
> the HomePlug network will send packets to the bridge's MAC address,
> and the bridge will forward those packets to the host that sent the
> ARP reply to the bridge.
>
> With that type of bridge, it might again forward only broadcast and
> multicast packets, and unicast packets intended for one of the hosts
> it knows about, so you couldn't do promiscuous capture.
>
> Again, that wouldn't apply to a USB adapter, though, as that's not a
> bridge.
>
> *However*, if I'm correctly interpreting what I read at
>
> http://www.commsdesign.com/main/2000/12/0012feat5.htm
>
> there's a problem that might make it impossible to do promiscuous
> capture on HomePlug with *any* adapter. That page says
>
> Formed from a series of OFDM symbols, the HomePlug data-bearing
> packet consists of a start-of-frame delimiter, a payload, and an
> end-of-frame delimiter (see Figure 3). For unicast transmissions, the
> destination station responds by transmitting a response delimiter
> indicating the status of the reception (ACK, NACK, or FAIL).
>
> The delimiter consists of a preamble sequence followed by a TPC
> encoded frame control field. The preamble sequence is chosen to
> provide good correlation properties so each receiver can reliably
> detect the delimiter, even with substantial interference and a lack of
> knowledge of the transfer function that exists between the receiver
> and the transmitter interference.
>
> The frame control contains MAC layer management information (for
> example, packet lengths, and response status). The low rate TPC and
> interleaving used on the frame control provide good immunity to
> frequency selective impairments as well as broadband interference. All
> three delimiter types have the same structure, but the data carried in
> the delimiter varies depending on the delimiter function.
>
> Unlike the delimiters, the payload portion of the packet is
> intended only for the destination receiver. Payload data is carried
> only on a set of carriers that have been previously agreed upon by the
> transmitter and intended receiver during a channel adaptation procedure.
>
> It sounds as if, even though the power wiring is treated as a shared
> bus, so the analog signals for a packet can be seen by all stations on
> the power wiring, only a station that knows what carriers are being
> used for a particular packet's payload could demodulate those analog
> signals and turn them into bits. The intended recipient knows that -
> but other stations on the network might not. In theory, it might be
> possible for a station to keep track of all sender/recipient pairs by
> watching the negotiation traffic that I presume is used on the network
> (although if the negotiation takes place before the sniffing station
> is plugged into the network, that can't happen), but I suspect the
> normal bridges *and* USB adapters you can get don't bother doing that.
>
> I.e., it might be difficult, and maybe impossible, for any station on
> a HomePlug network to capture all the traffic on that network.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
More information about the Winpcap-users
mailing list