Port mirroring?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
hajjar
DD-WRT Novice


Joined: 29 Jun 2010
Posts: 3

PostPosted: Tue Jun 29, 2010 21:56    Post subject: iptables --tee does not work with my router/fw Reply with quote
Linksys WRT54G2 v1
DD-WRT v24-sp2 (12/28/09) micro - build 13525

After reading several topics, I got stuck.
In this thread, apparently some of you guys managed to get it working.

I'm trying to enable "mirroring" to a certain dest host (192.168.0.100) with the following code:
Code:
iptables -t mangle -A POSTROUTING -s 192.168.0.100 -j ROUTE --tee --gw 192.168.0.232
iptables -t mangle -A PREROUTING -s 192.168.0.100 -j ROUTE --tee --gw 192.168.0.232


And checking with:
Code:
iptables -t mangle -L -v -n


But always getting an empy list:
Code:
Chain PREROUTING (policy ACCEPT 20273 packets, 7194K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 7661 packets, 936K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 12930 packets, 6313K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8647 packets, 4833K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 22234 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination


Is iptables --tee supported in this fw version?

Thanks in advance
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Tue Jun 29, 2010 22:44    Post subject: Re: iptables --tee does not work with my router/fw Reply with quote
hajjar wrote:
Linksys WRT54G2 v1
DD-WRT v24-sp2 (12/28/09) micro - build 13525
[...]
Is iptables --tee supported in this fw version?

The ROUTE target is not included in any micro builds due to their extremely limited flash space.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
hajjar
DD-WRT Novice


Joined: 29 Jun 2010
Posts: 3

PostPosted: Tue Jun 29, 2010 23:47    Post subject: Re: iptables --tee does not work with my router/fw Reply with quote
phuzi0n wrote:
hajjar wrote:
Linksys WRT54G2 v1
DD-WRT v24-sp2 (12/28/09) micro - build 13525
[...]
Is iptables --tee supported in this fw version?

The ROUTE target is not included in any micro builds due to their extremely limited flash space.


phuzi0n, thanks for clarifying this.

As micro build seems to be the only supported by my device, I need to get a new one.
Wich build version is needed to achive this feature?
arnoldg
DD-WRT Novice


Joined: 13 Aug 2010
Posts: 2

PostPosted: Fri Aug 13, 2010 12:46    Post subject: Reply with quote
how do i remove a rule i made this one and now the load is pretty high, how do i remove it ?

iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101

iptables -t mangle -A PREROUTING -s 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Fri Aug 13, 2010 13:40    Post subject: Reply with quote
arnoldg wrote:
how do i remove a rule i made this one and now the load is pretty high, how do i remove it ?

iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101

iptables -t mangle -A PREROUTING -s 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101

Run the same commands with -D to delete them instead of -A or -I which append/insert them. Or if you put the commands in your firewall script then just remove them from the firewall script.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
j666gak
DD-WRT Novice


Joined: 28 Feb 2011
Posts: 5

PostPosted: Wed Jan 11, 2012 22:20    Post subject: Reply with quote
svionut25 wrote:
iptables -t mangle -A POSTROUTING -d 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101

iptables -t mangle -A PREROUTING -s 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101

This commands will make a copy of network traffic that have source and destination 192.168.1.100 and will send it to 192.168.1.101. On 192.168.1.101 can be run wireshark in order to sniff the traffic made by 192.168.1.100.

You can use:
iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101

iptables -t mangle -A PREROUTING -s 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101

for copying all network traffic and sending it to 192.168.1.101, but i don't recommend it. You router will run slower. You should send only what you want to sniff.


A while a go I bought a D-Link DIR-615 that came flashed with DD-WRT v24-sp2 (04/23/10) std. I am trying at the moment to setup port mirroring/network tap via IPTABLES on the AP which is not working as suggested above.

I think I may need the firmware updating however i'm not sure what chipset or whatever I have eg Broadcom? and as DD-WRT is already on my AP can I user the web GUI to point to a file to upgrade the firmware?

Thanks very much for your help

Guy
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Tue Jan 17, 2012 19:23    Post subject: Reply with quote
The router DB and supported devices wiki page will both tell you what chipset your router has. You should run the command in the OP to check if the commands are being applied though.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
jfandl
DD-WRT Novice


Joined: 11 Mar 2013
Posts: 2

PostPosted: Mon Mar 11, 2013 14:16    Post subject: IPTables Not modifying mangle table Reply with quote
svionut25 wrote:
iptables -t mangle -A POSTROUTING -d 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101

iptables -t mangle -A PREROUTING -s 192.168.1.100 -j ROUTE --tee --gw 192.168.1.101

This commands will make a copy of network traffic that have source and destination 192.168.1.100 and will send it to 192.168.1.101. On 192.168.1.101 can be run wireshark in order to sniff the traffic made by 192.168.1.100.

You can use:
iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101

iptables -t mangle -A PREROUTING -s 0.0.0.0/0 -j ROUTE --tee --gw 192.168.1.101

for copying all network traffic and sending it to 192.168.1.101, but i don't recommend it. You router will run slower. You should send only what you want to sniff.


I am trying to port mirror all WIFI traffic (ath0) to a PC running wireshark but it seems the IPTables commands are not modifying the mangle table. I've tried so many combinations but without any luck. I can enter the commands as above but nothing happens. I've also tried:

iptables -t mangle -A POSTROUTING -i ath0 -j ROUTE --tee --gw 192.168.1.128
iptables -t mangle -A POSTROUTING -i ath0 -j DNAT --to 192.168.1.128

and many other combinations. I always run: iptables -t mangle -vnL after the command to see if it worked and some times I get no output.

If I run the --tee command sometimes it gives and invalid command.

I have a DIR825 C1 with the latest (only build) for this router: V24-preSP2/2013/02-11-2013-r20675/dlink-dir825-c1/ at ftp.dd-wrt.com

Is it the build or am I doing something wrong?

Here is the results I get no matter what IPTables commands I run iptables -t mangle -vnL :

Chain PREROUTING (policy ACCEPT 5921 packets, 2183K bytes)
pkts bytes target prot opt in out source destination
0 0 MARK 0 -- !vlan2 * 0.0.0.0/0 66.229.111.154 MARK or 0x80000000
5921 2183K CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
Chain INPUT (policy ACCEPT 1930 packets, 172K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 3900 packets, 1990K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3087 packets, 2779K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 6998 packets, 4770K bytes)
pkts bytes target prot opt in out source destination
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1375
Location: Canada

PostPosted: Fri Mar 22, 2013 16:21    Post subject: Reply with quote
I too have been searching and experimentating with port mirroring using iptables and with ip addresses it works. But have been unsuccessful to mirror interfaces. The whole point of using mirroring is to be transparent to the network and not changing/adding to the destination address on the data flow going to the mirror port.

I picked a cheap Netgear GS108E 8-port switch with vlan and port mirroring support and it does "true" port mirroring with no need to set a destination IP address.

SmallNetBuilder has a Netgear GS108T review which uses a Broadcom processor.

Is there any way mirror a port with dd-wrt by using interfaces only?

TIA!

_________________
Home Network on Telus PureFibre - Wired GigaBit Backbone
| 2x DNSCrypt-Proxy V2 | DHCPv4/v6 via DNSMasq | Telus-IPv6 |
| USB Storage - Scripts Only | 7x VLANs/BRs | WiFi 5x SSIDs |
| 3x OpenVPN-Clients | QoS | SSH | Entware | YAMon3 | Ad-Blocking |

R7800 Gateway & VPN1 - KONGAT 39855M Release 2019-05-25
R7800 WiFi & VPN2 & VPN3 - KONGAT 39855M Release 2019-05-25

______________________
YAMon 3.4 | Ad-Blocking for DD-WRT | DNSCrypt-Proxy V2
DD-WRT Beta Builds | KONG Builds
CloneVince's copies of Kong's Arm Firmware
jfandl
DD-WRT Novice


Joined: 11 Mar 2013
Posts: 2

PostPosted: Fri Apr 05, 2013 14:30    Post subject: Bump Reply with quote
Bump - anyone have recommendations on how to fix the IP tables commands?
gengw2000
DD-WRT Novice


Joined: 25 Jun 2013
Posts: 2

PostPosted: Tue Jun 25, 2013 6:24    Post subject: Reply with quote
It's really difficult to get the "TEE" target working.

An alternative way is the "port-mirroring" openwrt package. It's based on libpcap.

http://code.google.com/p/port-mirroring/
riahc3
DD-WRT User


Joined: 04 May 2007
Posts: 324

PostPosted: Thu Aug 29, 2013 8:55    Post subject: Reply with quote
Im still stumped on how DDWRT doesnt have this. Or at least a tick box that autoadds the route to the iptables if supported.
jessev
DD-WRT Novice


Joined: 09 Sep 2013
Posts: 2

PostPosted: Fri Oct 18, 2013 21:47    Post subject: Port Mirroring Reply with quote
Alrighty then.

I have a Buffalo WZR-300HP running

DD-WRT v24SP2-MULTI (07/09/12) std (SVN revision 19438)

When I try these two commands I do not get any data going to the interface I wish to sniff traffic on.

iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.10 -tee

iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.10 -tee

If I perform the above commands then run

iptables -t mangle -vnL

i get the following output

Chain PREROUTING (policy ACCEPT 23339 packets, 10M bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 1153K packets, 89M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 31M packets, 27G bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4907 packets, 514K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 31M packets, 27G bytes)
pkts bytes target prot opt in out source destination


If I delete the above commands with -D I still get the same output from

iptables -t mangle -vnL

Only the ACCEPT packets and bytes counter increase in Chain PREROUTING and Chain INPUT.

Is port mirroring or more accurately packet copying no longer supported? I see folks trying it and it not working. Of course some of that is due to their router hardware or version of dd-wrt. I would think mine would work as dd-wrt and Buffalo are working together to provide dd-wrt on the router as an OEM feature.

This is a case for you real guru's.

1. How do I make this work?

and

2. How do I know I have deleted any rules I put in and do not want?

I know how to list iptables and do not see anything that stands out.

How can I be sure?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Sat Oct 26, 2013 23:55    Post subject: Reply with quote
Different builds have different iptables modules and it appears that your build is missing the ROUTE target module. Try a recent build for your model and see if it has been included, if not then ask for it on trac.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
jessev
DD-WRT Novice


Joined: 09 Sep 2013
Posts: 2

PostPosted: Sun Oct 27, 2013 0:23    Post subject: Reply with quote
Thank you phuzi0n - That makes perfect sense. I should of thought of that, but that is why you are the Guru. Smile

After doing more research, I keep coming across forwarding all traffic on the router to one port may slow down the router/switch.

So, I'm thinking of getting another switch that does port spanning. I like how the Buffalo Router and dd-wrt perform and don't want to take away from what I see as a feature and performance gain over my old rig.

I will still update the firmware to a more recent build, and test port mirroring/packet forwarding just to test the feature out. I spent the time to build a snortids, might as well test it.

Any thoughts on the subject of port spanning/packet forwarding slowing down some routers?
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum