Port-Mirroring / Span Port / Monitor Port with iptables

Hey,

i was facing the following problem:

I had a router (Netgear WGR614L) and i needed to attach a tcp monitor pc (tcpdump) to one of it’s LAN ports. The fact the the router is a switch makes that not so trivial. The switch only forwards packets to the port where the destinaion mac address is known. So each connect network device only receives the packets which are destined for that specific device.

Expensive switches provides a functionality which is called „Port-Mirroring“, „Span Port“ or „Monitor Port“. Which simply does the following: Copy all packets from another port to that monitor port. Sadly our cheap router doesn’t provide that functionality.

After a day of forum search and google search all i found was the question on how to do this and the answer that it’s impossible.

But then i asked in www.myopenrouter.com forum and got a brilliant answer (thanks again to ciscostu).

The solution lies in iptables.

There is an experimental target (ROUTE) which offers an option (–tee) that behaves like the good old linux „tee“ command. It copies a packet to a target ip address and then goes on with the normal behaviour (routering it to it’s normal target).

So how an we use this for our port-mirroring?

Imagine our router has the ip address 192.168.1.1, our monitor pc has the ip address 192.168.1.254. Then the following two lines will do the trick:

iptables -A PREROUTING -t mangle -j ROUTE –gw 192.168.1.254 –tee

iptables -A POSTROUTING -t mangle -j ROUTE –gw 192.168.1.254 –tee

This will send a copy of all packets to the monitor pc with the ip 192.168.1.254.

On the monitor we simply start tcpdump with our desired options and we can monitor all traffic…

In my example i’m interested in all traffic which has to do with the ip 192.168.1.3 so i call:

tcpdump (…) host 192.168.1.3

Where (…) are some more options for logging and stuff…

I hope this little guide helps many many people and i’d appreciate some comments 🙂

Gr33tz Goddchen

8 Gedanken zu „Port-Mirroring / Span Port / Monitor Port with iptables

  1. Lemming

    Didn’t worked for me, any suggestions?

    Linux OpenWrt 2.4.35.4 #41 Tue Nov 4 01:20:52 UTC 2008 mips unknown

    root@OpenWrt:~# iptables -A PREROUTING -t mangle -j ROUTE -gw 192.168.1.254 –tee
    iptables v1.3.8: Unknown arg `-gw‘

  2. Goddchen Artikelautor

    hm, not really. but it seems to be a common problem with some iptables versions… don’t remember which one i used to make it work 🙁 maybe some more google research may reveal some workaround for that problem?

  3. doubledash

    @Lemming:

    The „-gw“ argument should be „–gw“ (notice it has two hyphens, not one). The „-tee“ argument should also have two hypens, like so: „–tee“.

    The rest of the arguments are correct; „-A“, „-t“ and „-j“ should have only one hyphen.

    The shell general rule of thumb is when a command line argument option has more than one letter to it, it gets two hyphens.

  4. Pingback: IPtables PortMirroring Centos 6.4

  5. Goddchen Artikelautor

    Pretty sure, yes 🙂 I just don’t know the answer out of my head right now. I’d just need to reference you to all-knowing Google 😉

Kommentar verfassen