Hey,
i was facing the following problem:
I had a router (Netgear WGR614L) and i needed to attach a tcp monitor pc (tcpdump) to one of it’s LAN ports. The fact the the router is a switch makes that not so trivial. The switch only forwards packets to the port where the destinaion mac address is known. So each connect network device only receives the packets which are destined for that specific device.
Expensive switches provides a functionality which is called „Port-Mirroring“, „Span Port“ or „Monitor Port“. Which simply does the following: Copy all packets from another port to that monitor port. Sadly our cheap router doesn’t provide that functionality.
After a day of forum search and google search all i found was the question on how to do this and the answer that it’s impossible.
But then i asked in www.myopenrouter.com forum and got a brilliant answer (thanks again to ciscostu).
The solution lies in iptables.
There is an experimental target (ROUTE) which offers an option (–tee) that behaves like the good old linux „tee“ command. It copies a packet to a target ip address and then goes on with the normal behaviour (routering it to it’s normal target).
So how an we use this for our port-mirroring?
Imagine our router has the ip address 192.168.1.1, our monitor pc has the ip address 192.168.1.254. Then the following two lines will do the trick:
iptables -A PREROUTING -t mangle -j ROUTE –gw 192.168.1.254 –tee
iptables -A POSTROUTING -t mangle -j ROUTE –gw 192.168.1.254 –tee
This will send a copy of all packets to the monitor pc with the ip 192.168.1.254.
On the monitor we simply start tcpdump with our desired options and we can monitor all traffic…
In my example i’m interested in all traffic which has to do with the ip 192.168.1.3 so i call:
tcpdump (…) host 192.168.1.3
Where (…) are some more options for logging and stuff…
I hope this little guide helps many many people and i’d appreciate some comments 🙂
Gr33tz Goddchen
