Port mirroring?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
rustycp
DD-WRT Novice


Joined: 20 Jul 2009
Posts: 2

PostPosted: Mon Jul 20, 2009 1:30    Post subject: Port mirroring? Reply with quote
I have a Linksys WRT54G2 ver 1, and I would like to have a port mirroring option on the router, which would send a copy of all network packets on the router to a single ip address for monitoring. Does the dd-wrt micro-generic software have a port mirroring feature, and if so, what is it named within the software?
Sponsor
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Mon Jul 20, 2009 2:36    Post subject: Reply with quote
I do not think there is a such feature as "port mirroring", however you can set up the DD-WRT firewall to log all packets going through it. Then you must use a program on your computer to take what the firewall sends to it, and then displays it for you.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
andreev2001
DD-WRT User


Joined: 06 Feb 2008
Posts: 93

PostPosted: Mon Jul 20, 2009 3:42    Post subject: Re: Port mirroring? Reply with quote
rustycp wrote:
I have a Linksys WRT54G2 ver 1, and I would like to have a port mirroring option on the router, which would send a copy of all network packets on the router to a single ip address for monitoring. Does the dd-wrt micro-generic software have a port mirroring feature, and if so, what is it named within the software?


WireShark http://www.wireshark.org/

_________________
Belkin F5D8230-4 ver 1, 4MB Flash, 16MB RAM, FIC ID SA3-AGN0901AP0100.
CPU BCM4704KPB, Switch BCM5325A2KQM WiFi Atheros AR5416. Running dd-wrt.24_Atheros_wifi.
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Mon Jul 20, 2009 3:57    Post subject: Re: Port mirroring? Reply with quote
andreev2001 wrote:
rustycp wrote:
I have a Linksys WRT54G2 ver 1, and I would like to have a port mirroring option on the router, which would send a copy of all network packets on the router to a single ip address for monitoring. Does the dd-wrt micro-generic software have a port mirroring feature, and if so, what is it named within the software?


WireShark http://www.wireshark.org/


I believe he's talking about mirroring not monitoring.

_________________
The New Me
andreev2001
DD-WRT User


Joined: 06 Feb 2008
Posts: 93

PostPosted: Mon Jul 20, 2009 4:22    Post subject: Re: Port mirroring? Reply with quote
DHC_DarkShadow wrote:
andreev2001 wrote:
rustycp wrote:
I have a Linksys WRT54G2 ver 1, and I would like to have a port mirroring option on the router, which would send a copy of all network packets on the router to a single ip address for monitoring. Does the dd-wrt micro-generic software have a port mirroring feature, and if so, what is it named within the software?


WireShark http://www.wireshark.org/


I believe he's talking about mirroring not monitoring.


Are you sure?
He states he want mirroring in order to monitor. Any hub just repeat all network packets to all ports. No special software is required. Then what? Someone will need to capture the packets and do whatever needed. As far as i know all routers are switches. Not hubs. Switches distribute packets in order to reduce the traffic. I any case the WireShark is very good place to start with.

_________________
Belkin F5D8230-4 ver 1, 4MB Flash, 16MB RAM, FIC ID SA3-AGN0901AP0100.
CPU BCM4704KPB, Switch BCM5325A2KQM WiFi Atheros AR5416. Running dd-wrt.24_Atheros_wifi.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Jul 20, 2009 6:57    Post subject: Reply with quote
There's several threads on the network taps/port mirroring already. It can be done with iptables' ROUTE target. Do a search or see the iptables man page.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
rustycp
DD-WRT Novice


Joined: 20 Jul 2009
Posts: 2

PostPosted: Mon Jul 20, 2009 12:57    Post subject: port monitoring Reply with quote
yep I was talking about port monitoring (http://en.wikipedia.org/wiki/Port_mirroring) I'd like my network hub to send copies of all network packets sent through my linksys router to my monitoring PC, which is a wireless client on the router. My monitoring PC has wireshark on it, where I can analyze the packets as needed.

I did not realize you could replicate this effect with iptables, I'll take a look at that.
dh
DD-WRT Novice


Joined: 01 Jan 2010
Posts: 1

PostPosted: Fri Jan 01, 2010 16:58    Post subject: Reply with quote
hi,
did you find out how to capture network traffic or have port mirroring functionality in WRT54G2. I would like to analyze msn traffic (as per company requirement).

thanks
svionut25
DD-WRT Novice


Joined: 20 Jun 2009
Posts: 9

PostPosted: Fri Jan 01, 2010 17:19    Post subject: Reply with quote
iptables -t mangle -A POSTROUTING -d 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101

iptables -t mangle -A PREROUTING -s 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101

This commands will make a copy of network traffic that have source and destination 192.168.1.100 and will send it to 192.168.1.101. On 192.168.1.101 can be run wireshark in order to sniff the traffic made by 192.168.1.100.

You can use:
iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101

iptables -t mangle -A PREROUTING -s 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101

for copying all network traffic and sending it to 192.168.1.101, but i don't recommend it. You router will run slower. You should send only what you want to sniff.
rjbell4
DD-WRT Novice


Joined: 09 Jan 2010
Posts: 1

PostPosted: Mon Jan 11, 2010 19:58    Post subject: iptables ROUTE target Reply with quote
I can't get the ROUTE iptables target to work on my system with "DD-WRT v24 RC-6 (01/02/0Cool vpn". Was it added / removed in a particular version?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Jan 11, 2010 22:20    Post subject: Reply with quote
Yes, you will need a current version for the route target. Read the announcements to get a build that is actually supported.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
jgombos
DD-WRT User


Joined: 03 Nov 2007
Posts: 68

PostPosted: Sat Mar 20, 2010 11:55    Post subject: Reply with quote
svionut25 wrote:
iptables -t mangle -A POSTROUTING -d 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101

iptables -t mangle -A PREROUTING -s 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101

This commands will make a copy of network traffic that have source and destination 192.168.1.100 and will send it to 192.168.1.101.


After running those commands (w/ IPs replaced of course), I ran "route" and the routing table doesn't look any different. Is that expected?

My problem may be the same as the rjbell4 (also running a vpn version). No packets show up, eg. when running "tcpdump host 192.168.1.100" on 192.168.1.101.

rjbell4, did you get it working?

phuzi0n wrote:

Yes, you will need a current version for the route target. Read the announcements to get a build that is actually supported.

Where are the announcements posted?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sat Mar 20, 2010 17:49    Post subject: Reply with quote
jgombos wrote:
After running those commands (w/ IPs replaced of course), I ran "route" and the routing table doesn't look any different. Is that expected?

These are iptables commands, they do not modify the routing table, they supersede it.

jgombos wrote:
phuzi0n wrote:
Yes, you will need a current version for the route target. Read the announcements to get a build that is actually supported.

Where are the announcements posted?

At the top of the forum...

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
jgombos
DD-WRT User


Joined: 03 Nov 2007
Posts: 68

PostPosted: Sat Mar 20, 2010 20:37    Post subject: Reply with quote
I've discovered the command to verify that the iptables command took effect:

iptables -t mangle -L -v -n

When I run that, I can see (for example) something like:
Code:

Chain PREROUTING (policy ACCEPT 6519K packets, 3848M bytes)
 pkts bytes target   prot opt in   out   source         destination
23280 7090K ROUTE    0    --  *    *     192.168.1.100  0.0.0.0/0     ROUTE gw:192.168.1.101 tee


Does that mean I'm working with a version of dd-wrt that works for this? I didn't notice anything related in the announcements forum stickies. I'm not running any of the blackballed versions (pre-sp2).
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sun Mar 21, 2010 0:52    Post subject: Reply with quote
jgombos wrote:
Does that mean I'm working with a version of dd-wrt that works for this? I didn't notice anything related in the announcements forum stickies. I'm not running any of the blackballed versions (pre-sp2).

You didn't notice the forum rules suggesting you provide certain details like what version you ARE using either, but yes you've got a build that supports the route target.

You may want to try using another packet capturing program such as Wireshark. If you're using Vista/Win7 then you'll need to run it as administrator to get the proper privileges to sniff the NIC's raw traffic.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum