Jump to content

Mirroring traffic to USB ethernet


bearda
 Share

Recommended Posts

I had a very specific use case in mind when I bought a Wifi Pineapple, but I'm having a hard time figuring out how to actually do what I want. I have a passive network monitoring appliance I want to receive traffic routed between two different WLANs. The idea was to use a separate USB-Ethernet adapter running out of the Pineapple and to mirror the wireless network traffic to it to keep the monitoring interface independent of the admin interface for the pineapple (I don't want DHCP or other incidental packets from the admin interface showing up in the traffic if I can help it). The end goal is to have a test and demo system where I can connect the pineapple to a public wireless network and connect an iPad or other mobile device that gets an internet connection routed through the pineapple to the other wireless network and have the appliance be able to see and inspect the traffic.

Where I'm getting hung up is the monitoring port. I've been playing around with iptables rules based on the info here, but got stuck:

http://blog.goddchen.de/2009/03/port-mirroring-span-port-monitor-port-with-iptables/

The destination ip address thing is the problem, since my monitoring device is entirely passive. I really want to force the traffic out one specific interface and since the device on the other end is promiscuous it'll take care of the rest. Can I get around this by making up a dummy ip address and adding a static route forcing it out my USB Ethernet interface? Is my entire plan flawed, or is there a better way of doing this entirely.

Link to comment
Share on other sites

A quick google search on Port Mirroring and OpenWRT and I ran into this. Might be all you need. This is on the OpenWRT forums so it is more likely to work on the Pineapple as it is OpenWRT (Duh) ;) Let me know if this works, might be worth creating a simple infusion.

https://forum.openwrt.org/viewtopic.php?id=28878

You can use TEE from iptables.

Something like this, to monitor all traffic from and to the WAN:

# incoming packets (ignore packets from local subnet)
iptables -A POSTROUTING -t mangle -o br-lan ! -s 10.10.0.0/16 -j TEE --gateway 10.10.0.1

# outgoing packets (ignore packets to local subnet)
iptables -A PREROUTING -t mangle -i br-lan ! -d 10.10.0.0/16 -j TEE --gateway 10.10.0.1

Thereby, all packets gets forwarded to 10.10.0.1
You can also use a seperate vlan to create the mirror-port.

Link to comment
Share on other sites

I got a chance to play around this morning but things didn't go very well. I have a feeling that the destination IP address is going to be a problem in the future since the monitoring device I'm using is passive (no IP), but for a proof of concept I just set a laptop up and gave him a static IP connected to the USB Ethernet on the Pineapple.

I failed miserably when it came to the iptables config, though. I get an iptables "unknown option" error when trying to use --gateway or --gw which has kind of stopped me in my tracks. I've played around with some other syntaxes mentioned on the dd-wrt forums/blogs and --tee it's a supported option either. Anyone get port mirroring via iptables tee working on a Pineapple before?

Link to comment
Share on other sites

root@Pineapple:/# iptables -A POSTROUTING -t mangle -o br-lan ! -s 172.16.42.0/24 -j TEE --gateway 192.168.1.1
iptables v1.4.10: unknown option `--gateway'
Try `iptables -h' or 'iptables --help' for more information.

Looks like the tee command is broken. I think it's a mismatch between iptables and the kernel, but not 100% sure. Maybe Seb can compile this for us instead?

https://code.google.com/p/port-mirroring/

Edited by barry99705
Link to comment
Share on other sites

Maybe some of the stuff in this could help not a pineapple but a tap so some of the concepts and ideas may help http://williamknowles.co.uk/?p=16

It looks like this guy's just doing a tcpdump to capture packets, where as I'm looking for live traffic out another interface. I have been looking into seeing if I could do a tcpdump directly into tcpreplay, but haven't gotten far.

Link to comment
Share on other sites

root@Pineapple:/# iptables -A POSTROUTING -t mangle -o br-lan ! -s 172.16.42.0/24 -j TEE --gateway 192.168.1.1
iptables v1.4.10: unknown option `--gateway'
Try `iptables -h' or 'iptables --help' for more information.

Looks like the tee command is broken. I think it's a mismatch between iptables and the kernel, but not 100% sure. Maybe Seb can compile this for us instead?

https://code.google.com/p/port-mirroring/

I saw that, but the lack of a build for the processor in the pineapple stopped me so far. I guess I should just try to set up a toolchain and give it a shot. Thanks for looking at the iptables stuff, it seemed like there was a problem but I wasn't sure.

Link to comment
Share on other sites

I started setting up my build environment this morning and noticed in the OpenWRT build kmod-ipt-tee is not enabled. I don't know this build structure very well, but it seems like the kernel just doesn't have the TEE target support enabled. I'm not sure who to ask about this, but it's be great if they kernel module could be included in 2.0.4.

Link to comment
Share on other sites

I started setting up my build environment this morning and noticed in the OpenWRT build kmod-ipt-tee is not enabled. I don't know this build structure very well, but it seems like the kernel just doesn't have the TEE target support enabled. I'm not sure who to ask about this, but it's be great if they kernel module could be included in 2.0.4.

That'd be seb, but hes away currently

Also, you may be able to find the correct package in the OpenWRT package list. Google around for the AR71xx packages. (I think thats the right number)

Edited by Foxtrot
Link to comment
Share on other sites

That'd be seb, but hes away currently

Also, you may be able to find the correct package in the OpenWRT package list. Google around for the AR71xx packages. (I think thats the right number)

OK, I've got to spend some time understanding how OpenWRT packages are set up but it sounds like this may be what I need, then:

kmod-ipt-tee_3.3.8-1_ar71xx.ipk

Edited by bearda
Link to comment
Share on other sites

I looks like OpenWRT kernel module packages can't be installed directly due to differences in the build. Bummer.

root@Pineapple:/tmp# opkg install http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/kmod-ipt-tee_3.3.8-1_ar71xx.ipk

Downloading http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/kmod-ipt-tee_3.3.8-1_ar71xx.ipk.

Installing kmod-ipt-tee (3.3.8-1) to root...

Collected errors:

* satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-ipt-tee:

* kernel (= 3.3.8-1-d6597ebf6203328d3519ea3c3371a493) *

* opkg_install_cmd: Cannot install package kmod-ipt-tee.

root@Pineapple:/tmp# uname -a

Linux Pineapple 3.3.8 #31 Thu Aug 14 23:30:25 CEST 2014 mips GNU/Linux

Edited by bearda
Link to comment
Share on other sites

The good news is that I got my build environment set up (after having to mangle some URLs for svn repos that have since been taken down. Is there a git repo for the latest code or something?), and installed the tee kernel module. The bad new is that it didn't help at all. The iptables thing seems like it's more trouble than it's worth.

The good news is that when I was playing with the build I realized that the architecture for the pineapple is ar71xx even though the pineapple is an ar9something. That means the port-mirroring package listed earlier can be installed by running:

And after a bit of configuration it does exactly what I need it to. By configuring it to mirror from wlan0 to eth1 using the TEE protocol it seems to be working great. I'll have to play around with it some more when I'm back in the office. If it all checks out I'll see about starting it from the DIP switch boot options, and if I get really adventurous maybe I'll try to do an infusion to install and control port-mirroring.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...