Mirroring traffic to USB ethernet

[bearda]

I had a very specific use case in mind when I bought a Wifi Pineapple, but I'm having a hard time figuring out how to actually do what I want. I have a passive network monitoring appliance I want to receive traffic routed between two different WLANs. The idea was to use a separate USB-Ethernet adapter running out of the Pineapple and to mirror the wireless network traffic to it to keep the monitoring interface independent of the admin interface for the pineapple (I don't want DHCP or other incidental packets from the admin interface showing up in the traffic if I can help it). The end goal is to have a test and demo system where I can connect the pineapple to a public wireless network and connect an iPad or other mobile device that gets an internet connection routed through the pineapple to the other wireless network and have the appliance be able to see and inspect the traffic.

Where I'm getting hung up is the monitoring port. I've been playing around with iptables rules based on the info here, but got stuck:

http://blog.goddchen.de/2009/03/port-mirroring-span-port-monitor-port-with-iptables/

The destination ip address thing is the problem, since my monitoring device is entirely passive. I really want to force the traffic out one specific interface and since the device on the other end is promiscuous it'll take care of the rest. Can I get around this by making up a dummy ip address and adding a static route forcing it out my USB Ethernet interface? Is my entire plan flawed, or is there a better way of doing this entirely.

[NovaSam]

A quick google search on Port Mirroring and OpenWRT and I ran into this. Might be all you need. This is on the OpenWRT forums so it is more likely to work on the Pineapple as it is OpenWRT (Duh) ;) Let me know if this works, might be worth creating a simple infusion.

https://forum.openwrt.org/viewtopic.php?id=28878

You can use TEE from iptables.

Something like this, to monitor all traffic from and to the WAN:

# incoming packets (ignore packets from local subnet)
iptables -A POSTROUTING -t mangle -o br-lan ! -s 10.10.0.0/16 -j TEE --gateway 10.10.0.1

# outgoing packets (ignore packets to local subnet)
iptables -A PREROUTING -t mangle -i br-lan ! -d 10.10.0.0/16 -j TEE --gateway 10.10.0.1

Thereby, all packets gets forwarded to 10.10.0.1
You can also use a seperate vlan to create the mirror-port.

[bearda]

I got a chance to play around this morning but things didn't go very well. I have a feeling that the destination IP address is going to be a problem in the future since the monitoring device I'm using is passive (no IP), but for a proof of concept I just set a laptop up and gave him a static IP connected to the USB Ethernet on the Pineapple.

I failed miserably when it came to the iptables config, though. I get an iptables "unknown option" error when trying to use --gateway or --gw which has kind of stopped me in my tracks. I've played around with some other syntaxes mentioned on the dd-wrt forums/blogs and --tee it's a supported option either. Anyone get port mirroring via iptables tee working on a Pineapple before?

[barry99705]

I'll play with it this weekend.

[Karit]

Maybe some of the stuff in this could help not a pineapple but a tap so some of the concepts and ideas may help http://williamknowles.co.uk/?p=16

Edited August 23, 2014 by Karit

[barry99705]

root@Pineapple:/# iptables -A POSTROUTING -t mangle -o br-lan ! -s 172.16.42.0/24 -j TEE --gateway 192.168.1.1
iptables v1.4.10: unknown option `--gateway'
Try `iptables -h' or 'iptables --help' for more information.

Looks like the tee command is broken. I think it's a mismatch between iptables and the kernel, but not 100% sure. Maybe Seb can compile this for us instead?

https://code.google.com/p/port-mirroring/

Edited August 23, 2014 by barry99705

[bearda]

Maybe some of the stuff in this could help not a pineapple but a tap so some of the concepts and ideas may help http://williamknowles.co.uk/?p=16

It looks like this guy's just doing a tcpdump to capture packets, where as I'm looking for live traffic out another interface. I have been looking into seeing if I could do a tcpdump directly into tcpreplay, but haven't gotten far.

[bearda]

root@Pineapple:/# iptables -A POSTROUTING -t mangle -o br-lan ! -s 172.16.42.0/24 -j TEE --gateway 192.168.1.1
iptables v1.4.10: unknown option `--gateway'
Try `iptables -h' or 'iptables --help' for more information.

Looks like the tee command is broken. I think it's a mismatch between iptables and the kernel, but not 100% sure. Maybe Seb can compile this for us instead?

https://code.google.com/p/port-mirroring/

I saw that, but the lack of a build for the processor in the pineapple stopped me so far. I guess I should just try to set up a toolchain and give it a shot. Thanks for looking at the iptables stuff, it seemed like there was a problem but I wasn't sure.

[bearda]

I started setting up my build environment this morning and noticed in the OpenWRT build kmod-ipt-tee is not enabled. I don't know this build structure very well, but it seems like the kernel just doesn't have the TEE target support enabled. I'm not sure who to ask about this, but it's be great if they kernel module could be included in 2.0.4.

[Foxtrot]

I started setting up my build environment this morning and noticed in the OpenWRT build kmod-ipt-tee is not enabled. I don't know this build structure very well, but it seems like the kernel just doesn't have the TEE target support enabled. I'm not sure who to ask about this, but it's be great if they kernel module could be included in 2.0.4.

That'd be seb, but hes away currently

Also, you may be able to find the correct package in the OpenWRT package list. Google around for the AR71xx packages. (I think thats the right number)

Edited August 24, 2014 by Foxtrot

[bearda]

That'd be seb, but hes away currently

Also, you may be able to find the correct package in the OpenWRT package list. Google around for the AR71xx packages. (I think thats the right number)

OK, I've got to spend some time understanding how OpenWRT packages are set up but it sounds like this may be what I need, then:

kmod-ipt-tee_3.3.8-1_ar71xx.ipk

Edited August 24, 2014 by bearda

[bearda]

I looks like OpenWRT kernel module packages can't be installed directly due to differences in the build. Bummer.

root@Pineapple:/tmp# opkg install http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/kmod-ipt-tee_3.3.8-1_ar71xx.ipk

Downloading http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/kmod-ipt-tee_3.3.8-1_ar71xx.ipk.

Installing kmod-ipt-tee (3.3.8-1) to root...

Collected errors:

* satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-ipt-tee:

* kernel (= 3.3.8-1-d6597ebf6203328d3519ea3c3371a493) *

* opkg_install_cmd: Cannot install package kmod-ipt-tee.

root@Pineapple:/tmp# uname -a

Linux Pineapple 3.3.8 #31 Thu Aug 14 23:30:25 CEST 2014 mips GNU/Linux

Edited August 24, 2014 by bearda

[bearda]

The good news is that I got my build environment set up (after having to mangle some URLs for svn repos that have since been taken down. Is there a git repo for the latest code or something?), and installed the tee kernel module. The bad new is that it didn't help at all. The iptables thing seems like it's more trouble than it's worth.

The good news is that when I was playing with the build I realized that the architecture for the pineapple is ar71xx even though the pineapple is an ar9something. That means the port-mirroring package listed earlier can be installed by running:

opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.3-1_12.09_ar71xx.ipk

And after a bit of configuration it does exactly what I need it to. By configuring it to mirror from wlan0 to eth1 using the TEE protocol it seems to be working great. I'll have to play around with it some more when I'm back in the office. If it all checks out I'll see about starting it from the DIP switch boot options, and if I get really adventurous maybe I'll try to do an infusion to install and control port-mirroring.