Snort on Linksys WRT54G Wireless Router Help
I've sent you 2 other files with ping, one is tftp attempt during ping and the other is ping, tftp attempt and ping again...
I can't beleive it is dead, it wouldn't ping i suppose but again i'm not an expert ;)
i'll go on trying ! i've decided i wouldn't stop untill i succeed (yes i'm optimistic kind a guy) ;))
I can't beleive it is dead, it wouldn't ping i suppose but again i'm not an expert ;)
i'll go on trying ! i've decided i wouldn't stop untill i succeed (yes i'm optimistic kind a guy) ;))
Yep, I see the echo requests and responses then 5 tftp write requests and not a peep back, then more echo requests and responses.BillyG wrote:I've sent you 2 other files with ping, one is tftp attempt during ping and the other is ping, tftp attempt and ping again...
I never used the term dead. Screwed was the term I used in #1 in my last post. :) It is possible that when shorted the tcp/ip stack gets loaded but something is preventing the tftp server from loading. This would exhibit the observed behavior. I do believe this scenerio is not as likely as the other 2 though.I can't beleive it is dead, it wouldn't ping i suppose but again i'm not an expert ;)
If you had a second machine that you could sniff from on a hub with the first machine that would eliminate scenerio #2 (firewall blocking).
Scenerio #3 is very possible if you aren't really getting the pins shorted properly. You might also check very carefully that you haven't damaged the pins so that they are touching each other. Also, you might try just a plain nmap to see if any other ports are open. This might indicate whether it has booted all the way up:
# nmap 192.168.1.1
I think if none of this gets you going and you really won't stop until you succeed then your next step would be building a serial console connection so you can actually see the boot messages while you boot it. You could see exactly why the tftp server isn't starting. Another easier option to try first might be to build the JTAG connection. I have never done either of these as I have never bricked a router bad enough to need to so I can't help much beyond this. There are several threads on how to do this on the openwrt.org forums and wiki.i'll go on trying ! i've decided i wouldn't stop untill i succeed (yes i'm optimistic kind a guy) ;))
i've done the nmap it says :
Why doesn't it say "open", sorry but what means "filtered" ?
Code: Select all
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-05 16:21 CET
All 1672 scanned ports on 192.168.1.1 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 62.316 seconds
The only way a port shows open is if there is a service (program) that is bound to that port. For instance, when the tftpd program is running it binds to and opens UDP port 69. When sshd is running it binds to and opens TCP port 22, etc. "Filtered" means there is a firewall in the way and nmap can't tell whether the port is open or closed. See description here:
http://www.insecure.org/nmap/man/index. ... escription
Give me a minute and I'll short the pins on one of my routers and see if I get the same results.
EDIT: I get the same results:
So, to recap I can't see anything that you are doing wrong. As long as you are getting pings within a couple of seconds of plugging the power in and they continue without stopping then your router should be in the proper mode. If you are positive you are not filtering (firewall client) on your Mac then the only next step is a cable so you can actually see the console messages.
http://www.insecure.org/nmap/man/index. ... escription
Give me a minute and I'll short the pins on one of my routers and see if I get the same results.
EDIT: I get the same results:
Code: Select all
# nmap 192.168.1.1
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-05 10:01 CST
All 1672 scanned ports on 192.168.1.1 are: filtered
MAC Address: 00:0C:41:xx:xx:xx (The Linksys Group)
SUCCESS !
Ok, this is stupid but if you don't know it you can try a long time like i did without result (at least for a European GS v4)
The fact is that every time i was rebooting the router, the first time i was trying to upload something it told me "code pattern incorrect" and then the following times, just the timeout. I searched on the net and found out that "code pattern incorrect" is when you don't have the good firmware. But mine was ok, the only thing was that it was not the original Linksys one !
So i dled it from linksys site and then it f... worked !!!
So again a success story but that was dumb !
;))
A last thx for Void because without the short i discovered on his page, i wouldn't have succeeded :))
Ok, this is stupid but if you don't know it you can try a long time like i did without result (at least for a European GS v4)
The fact is that every time i was rebooting the router, the first time i was trying to upload something it told me "code pattern incorrect" and then the following times, just the timeout. I searched on the net and found out that "code pattern incorrect" is when you don't have the good firmware. But mine was ok, the only thing was that it was not the original Linksys one !
So i dled it from linksys site and then it f... worked !!!
So again a success story but that was dumb !
;))
A last thx for Void because without the short i discovered on his page, i wouldn't have succeeded :))
Good news! I even searched for that error but thought it was something specific to your client. I did think of a possible bad firmware, but why when you did the tcpdump did I not see any data transferred? Even if it was a bad firmware it would have had to be sent to the router before it could reject it. I did not see this in the sniff.
No indeed the transfer never began, i always had the "code pattern incorrect" and then the timeout. Apparently (and i don't know how, maybe a header or something like that) but the router is able to detect something. Maybe does it act like this when the Flash is empty (i guess so otherwise it wouldn't be possible to upload something different than linksys FW).
And the question of the size is not the determinant factor here because i even tried some other small (<3Megs) FW with the same result...
And the question of the size is not the determinant factor here because i even tried some other small (<3Megs) FW with the same result...
Oh well, you got it working so if anyone else runs into the same problem they'll know how to fix it. Thanks! Actually, now that I think about it. The capture you sent me must have been from the "timeout". That is exactly what I would expect with a timeout. If you had sniffed when you got that error code I probably would have spotted your problem.
Re: Snort on Linksys WRT54G Wireless Router Help
Void, is this issue still open?Void Main wrote: Original Post
I'd be interested in helping. The reason being i'm looking to get an OpenWRT router setup myself (a WRTSL54GS if I can get one imported).
So, there are ulterior motives, but i'm here to help!
I have got Debian Etch (MIPS Little-endian) running under QEMU in preparation for the task.
Wow, apparently I haven't been keeping up on the latest WRT happenings. How did I miss this little gem?!? I have 3 WRT54G and 1 WRT54GS boxes but a USB port would open up so many more possibilities! Has anyone booted Debian on one of these devices? I use OpenWRT on all my current WRTs. I wonder if it's possible to boot the device directly from USB or do you have to have your kernel and boot image on the internal flash? A thumbdrive with Debian installed would make a pretty cool little firewall box.
I don't currently run Snort on the WRT but it should work:
http://www.linux.com/article.pl?sid=06/03/20/2239256
The problem is Snort can be very resource intensive so I run it on another system to sniff the public side of my WRT firewall. I suppose if you just want minimal rules to sniff the wireless side it should be workable. It looks like people have it working with a remote MySQL database in that article. Maybe I will have to pick up one of these. Why wouldn't they offer these things where you live?
I don't currently run Snort on the WRT but it should work:
http://www.linux.com/article.pl?sid=06/03/20/2239256
The problem is Snort can be very resource intensive so I run it on another system to sniff the public side of my WRT firewall. I suppose if you just want minimal rules to sniff the wireless side it should be workable. It looks like people have it working with a remote MySQL database in that article. Maybe I will have to pick up one of these. Why wouldn't they offer these things where you live?