Posted: Mon Jul 20, 2009 1:30 Post subject: Port mirroring?
I have a Linksys WRT54G2 ver 1, and I would like to have a port mirroring option on the router, which would send a copy of all network packets on the router to a single ip address for monitoring. Does the dd-wrt micro-generic software have a port mirroring feature, and if so, what is it named within the software?
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Mon Jul 20, 2009 2:36 Post subject:
I do not think there is a such feature as "port mirroring", however you can set up the DD-WRT firewall to log all packets going through it. Then you must use a program on your computer to take what the firewall sends to it, and then displays it for you. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Posted: Mon Jul 20, 2009 3:42 Post subject: Re: Port mirroring?
rustycp wrote:
I have a Linksys WRT54G2 ver 1, and I would like to have a port mirroring option on the router, which would send a copy of all network packets on the router to a single ip address for monitoring. Does the dd-wrt micro-generic software have a port mirroring feature, and if so, what is it named within the software?
WireShark http://www.wireshark.org/ _________________ Belkin F5D8230-4 ver 1, 4MB Flash, 16MB RAM, FIC ID SA3-AGN0901AP0100.
CPU BCM4704KPB, Switch BCM5325A2KQM WiFi Atheros AR5416. Running dd-wrt.24_Atheros_wifi.
Joined: 22 Jun 2008 Posts: 2440 Location: Am now Dark_Shadow
Posted: Mon Jul 20, 2009 3:57 Post subject: Re: Port mirroring?
andreev2001 wrote:
rustycp wrote:
I have a Linksys WRT54G2 ver 1, and I would like to have a port mirroring option on the router, which would send a copy of all network packets on the router to a single ip address for monitoring. Does the dd-wrt micro-generic software have a port mirroring feature, and if so, what is it named within the software?
Posted: Mon Jul 20, 2009 4:22 Post subject: Re: Port mirroring?
DHC_DarkShadow wrote:
andreev2001 wrote:
rustycp wrote:
I have a Linksys WRT54G2 ver 1, and I would like to have a port mirroring option on the router, which would send a copy of all network packets on the router to a single ip address for monitoring. Does the dd-wrt micro-generic software have a port mirroring feature, and if so, what is it named within the software?
I believe he's talking about mirroring not monitoring.
Are you sure?
He states he want mirroring in order to monitor. Any hub just repeat all network packets to all ports. No special software is required. Then what? Someone will need to capture the packets and do whatever needed. As far as i know all routers are switches. Not hubs. Switches distribute packets in order to reduce the traffic. I any case the WireShark is very good place to start with. _________________ Belkin F5D8230-4 ver 1, 4MB Flash, 16MB RAM, FIC ID SA3-AGN0901AP0100.
CPU BCM4704KPB, Switch BCM5325A2KQM WiFi Atheros AR5416. Running dd-wrt.24_Atheros_wifi.
There's several threads on the network taps/port mirroring already. It can be done with iptables' ROUTE target. Do a search or see the iptables man page. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Posted: Mon Jul 20, 2009 12:57 Post subject: port monitoring
yep I was talking about port monitoring (http://en.wikipedia.org/wiki/Port_mirroring) I'd like my network hub to send copies of all network packets sent through my linksys router to my monitoring PC, which is a wireless client on the router. My monitoring PC has wireshark on it, where I can analyze the packets as needed.
I did not realize you could replicate this effect with iptables, I'll take a look at that.
hi,
did you find out how to capture network traffic or have port mirroring functionality in WRT54G2. I would like to analyze msn traffic (as per company requirement).
This commands will make a copy of network traffic that have source and destination 192.168.1.100 and will send it to 192.168.1.101. On 192.168.1.101 can be run wireshark in order to sniff the traffic made by 192.168.1.100.
You can use:
iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101
for copying all network traffic and sending it to 192.168.1.101, but i don't recommend it. You router will run slower. You should send only what you want to sniff.
Yes, you will need a current version for the route target. Read the announcements to get a build that is actually supported. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
This commands will make a copy of network traffic that have source and destination 192.168.1.100 and will send it to 192.168.1.101.
After running those commands (w/ IPs replaced of course), I ran "route" and the routing table doesn't look any different. Is that expected?
My problem may be the same as the rjbell4 (also running a vpn version). No packets show up, eg. when running "tcpdump host 192.168.1.100" on 192.168.1.101.
rjbell4, did you get it working?
phuzi0n wrote:
Yes, you will need a current version for the route target. Read the announcements to get a build that is actually supported.
After running those commands (w/ IPs replaced of course), I ran "route" and the routing table doesn't look any different. Is that expected?
These are iptables commands, they do not modify the routing table, they supersede it.
jgombos wrote:
phuzi0n wrote:
Yes, you will need a current version for the route target. Read the announcements to get a build that is actually supported.
Where are the announcements posted?
At the top of the forum... _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I've discovered the command to verify that the iptables command took effect:
iptables -t mangle -L -v -n
When I run that, I can see (for example) something like:
Code:
Chain PREROUTING (policy ACCEPT 6519K packets, 3848M bytes)
pkts bytes target prot opt in out source destination
23280 7090K ROUTE 0 -- * * 192.168.1.100 0.0.0.0/0 ROUTE gw:192.168.1.101 tee
Does that mean I'm working with a version of dd-wrt that works for this? I didn't notice anything related in the announcements forum stickies. I'm not running any of the blackballed versions (pre-sp2).
Does that mean I'm working with a version of dd-wrt that works for this? I didn't notice anything related in the announcements forum stickies. I'm not running any of the blackballed versions (pre-sp2).
You didn't notice the forum rules suggesting you provide certain details like what version you ARE using either, but yes you've got a build that supports the route target.
You may want to try using another packet capturing program such as Wireshark. If you're using Vista/Win7 then you'll need to run it as administrator to get the proper privileges to sniff the NIC's raw traffic. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)