any way to create a span/mirror port?

Discussion in 'DD-WRT Firmware' started by big_boi, Oct 30, 2005.

  1. big_boi

    big_boi Network Guru Member

    okay, i have seen the instructions on how to create VLANs and that would be a first step in what i want to do. but is there any way in IPTables or in some other tool in the DD-WRT firmware to create a spanning/mirror port? i want to duplicate all traffic coming in on the WAN port to one of the switch ports.

    i know that in packetfilter there is a dup-to command that you can use to duplicate the traffic caught by a rule, but i haven't found anything similar in iptables.

    can anyone help?
  2. 4Access

    4Access Network Guru Member

    I don't have any immediate suggestions but I'm interested in this topic too so I'll help you research it.

    Since I imagine that to get this working it will require the use of commands that include "vlan" so far I've tried searching the forums here, over at OpenWRT, and for the following queries without any interesting results:

    vlan sniff
    vlan mirror
    vlan span
    vlans sniff
    vlans mirror
    vlans span
    sniff wan

    I've also searched for various things such as "port mirror", "trafic mirroring", "port span" etc but mostly got threads where people were asking how to do it.

    Assuming you just want to be able to sniff all traffic that crosses the WAN interface like I do then configuring a LAN port as a vlan trunk might work as well...

    Searching for things like "vlan trunk" & "vlan trunking" turned up some interesting looking threads over on the OpenWRT & forums. (Although I haven't had a chance to really look through them.)

    My next step is to read through those threads and investigate the "Link Aggregation" option on the VLANs config page to see exactly what it does.

    Additionally I asked for help over in this thread in the OpenWRT forum so maybe someone there will know.

    Anyone else have some input?

    (BTW I assume you already know but just in case you don't, the quickest way to sniff the WAN port is simply to connect a hub between the WRT & your modem and then connect your sniffing box to the hub... but what fun is that right?! :D )
  3. big_boi

    big_boi Network Guru Member

    wow. thanks.

    link aggregation and trunking should not really apply here since those all cover combining 2 switch ports into one. that doesn't help us in our quest to mirror traffic out one of the switch ports.

    these nvram config commands seem to have what we need though- either one of the span, mirror or perhaps sniff commands should work simply going by the name. the only thing we need is some documentation on how to use them and the differences between them. i'll go hunting, but i'm still turning up mostly threads like this one asking "how do i do this" and a lot of "i don't think you can" answers.

    thanks again
  4. 4Access

    4Access Network Guru Member

    Trunking can also enable a single port to carry data from multiple vlans. See here starting with the last paragraph and continuing onto the next page. In our case we only need the trunk to carry data from vlan1 which is the WAN port by default. I'm just not sure if we can configure a trunking port that only has a sniffing client connected to it without interrupting the normal flow of traffic...

    Also I'm afraid I may have lead you astray with my last post. There are no actual commands or nvram variables that are literally "vlan mirror" etc. (At least not that I'm aware of.) Those were simply what I searched for based on the fact that we are interested in mirroring/spanning ports and I expect that any post with relevant configuration info on those topics will also include vlan commands. Sorry for the confusion.
  5. 4Access

    4Access Network Guru Member

    I THINK I FOUND A WAY!!! :cheering:

    Check out the iptables ROUTE target. Notice that the the --tee example sounds exactly like what we need!?!!

    And DD-WRT appears to support the ROUTE target already!! (I was able to enter a couple test rules successfully using DD-WRT v23 beta2. I haven't yet tested DD-WRT v22. The Tofu v7.0 mod of HyperWRT does not support the ROUTE target.)

    So now it's just a question of figuring out exactly how the ROUTE target works and then peeling off one of the LAN ports into it's own VLAN and configuring it all. (The VLAN work can be done easily enough as shown here.)

    Unfortunately I won't have time to do anymore testing for probably 24hrs. But we're getting close! :thumbup:
  6. big_boi

    big_boi Network Guru Member

    well, with that feature this sould be a no-brainer. here are some helpful additional resources on he subject.
    notice that they say we can get additional info on this from iptables itself by issuing this command: # iptables -j ROUTE --help

    this posting is especially informative. looks like the developer is covering the use of the -tee command and basically holds our hands in doing exactly what we are trying to do:

    and here are a few more postings to the netfilter lists:

    my guess on the 2 lines you need to make this thing happen would be as follows:
    iptables -A PREROUTING -t mangle -s ! -j ROUTE --gw <sniffer> --tee
    iptables -A POSTROUTING -t mangle -s ! -j ROUTE --gw <sniffer> --tee

    seems i wasn't clever enough in my googling on this topic to this point. all my variations of "duplicate traffic iptables" turned up nothing useful. i should have taken a moment to think: if a *nix hacker was adding a command to iptables to do this sort of thing, what would they call it . . ? hmm, perhaps they'd name it after the ol' tee command. lemme see . . . .

    anyway, thanks a lot for the help 4Access. this has been a very productive thread i'd say. i need to build a new box to act as the sniffer, but when i get it working i'll post my results for ya.
  7. itsmeohmy

    itsmeohmy Network Guru Member

    Once a solution is found, it would be really phenomenal if Brainslayer could make a menu option from the web gui for it. That way we can span at will without having to save a copy of the ipstables script :)

    I'm sure this would be useful to many people as part of the stock DD-WRT v23 build.
  8. 4Access

    4Access Network Guru Member

    Please do! I probably won't have the time to actually setup a sniffing system to fully test this solution till this next weekend.

    Agreed! I just wonder how it could be worked into the GUI in an intuitive way that works with the current VLAN options...
  9. big_boi

    big_boi Network Guru Member

    i just ordered the hardware i need yesterday, and it appears i won't get it till the beginning of next week. if i dont' have it to play around with this weekend i may not get it running for a while cause i'm out of town the following 2 weekends :(

    i'll report back though.
  10. foq99

    foq99 Network Guru Member

    I realize this is an old post, but I figured I'd drag it back up since I'm looking to do something like this. I'd love to see a menu option for this, but I don't think it's really practical. Maybe some tab like "insane dumb things that people wanted a checkbox for" only shorter that could have all of these minor tweaks that 5 people want. Anyway, I wanted to add my $0.02 to the menu item topic and also point to a great free (as in beer) snort-based IDS -- Strata Guard. It's great for the people like me who don't have the knowledge or time to mess around with Linux and BSD too much, but still want a way to keep an eye on the traffic. I know there's a lot of other things that will do this, but this one is the easiest I've seen. If anybody else has anything better, I'd love to hear about it.
  11. barakaspeed

    barakaspeed Network Guru Member

    Changing the subnet mask?

    Ok it's late right now, so my mind isn't fully working properly :) . I don't know a whole lot about networking, but I vaguely remember that a subnet mask of would force all traffic to be broadcasted to everyone? Please correct me if I am wrong here. I am running HyperWRT and there isn't' an option to change to that subnet mask. But if another firmware, saw DD-WRT, could do this, maybe then would could sniff the traffic as if we were on just a simple hub?

    I am curious about finding a way to sniff traffic as well. I probably won't get around to switching firmwares as I don't have the time to do that.

    What do ya think?

    Or instead would configuring your computer manually and setting the subnet mask there to
  12. ursa_major

    ursa_major LI Guru Member

  13. gracey_26

    gracey_26 Guest

    please help me (tee option ROUTE target)

    Hi, please help me, which is the replacement for the tee option of ROUTE Target? I have openwrt whiterussian 0.9 in my linksys, i need to have a mirror port on my switch (WRTSL54GS) i have on my switch iptables v1.3.3 and dont have the ROUTE Target, when i see in the folder /lib/modules/2.4.30 there are some modules for iptables, anyone of those have an option to duplicate packets and send them to another gw?? is there another option to create a mirror port with openwrt whiterussian 0.9? any ideas? i only found forums where people is asking for the same but there is no a solution (since 2005) or maybe i havent searched enough..can anyone tell me if is possible to create a mirror port? in some post i see that people talk about this could help me?? i hope anyone can help me, thanks a lot.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice