port mirroring possible ?

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
fastpath
Novice
Novice
Posts: 21
Joined: Sat Sep 09, 2006 2:16 am

port mirroring possible ?

Post by fastpath » Sun Jul 21, 2013 4:18 pm

Hi all,

first post for 7 years ! I'm trying to get one of my routers to do port mirroring.

I have tried with my Belkin running DD-WRT v24micro using the guide here

http://webcache.googleusercontent.com/s ... en&ct=clnk

but I think the version of dd-wrt I have doesn't support the stuff mentioned there, so more internet nonsense - sigh.

I remember that my old Safecom GART2-4115 can run your RTech firmware, though, so I looked through your site for firewall guides/doco, but found none.

Is it iptables ?

If so, does it support this ( the TEE target with gateway option) ?

iptables -t mangle -A PREROUTING -j TEE --gateway 192.168.1.23
iptables -t mangle -A POSTROUTING -j TEE --gateway 192.168.1.23

do I need an

insmod ipt_ROUTE

before ?
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: port mirroring possible ?

Post by thechief » Sun Jul 21, 2013 5:44 pm

I doubt that our iptables supports TEE and gateway - but you can always try.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
fastpath
Novice
Novice
Posts: 21
Joined: Sat Sep 09, 2006 2:16 am

Re: port mirroring possible ?

Post by fastpath » Sun Jul 21, 2013 10:57 pm

I should have read the history file more carefully

My GART2-4115 is a 2/8 model, so doesn't even have iptables !

Ah well.

See you in 2020 !
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: port mirroring possible ?

Post by thechief » Sun Jul 21, 2013 11:28 pm

Hmmm ... all versions of our firmware have iptables.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
fastpath
Novice
Novice
Posts: 21
Joined: Sat Sep 09, 2006 2:16 am

Re: port mirroring possible ?

Post by fastpath » Mon Jul 22, 2013 4:54 pm

From the file history.html in the docs folder in the firmware zip

---
New features applicable only to wireless routers, or non-wireless routers with 4mb flash and 16mb RAM (e.g., ADSL2MUE)
1. Add support for TCPMSS in kernel and add iptables command, to overcome MTU issues with some websites. Unfortunately this eats some RAM, and so it has not been added to RAM-challenged routers (i.e., those with only 8mb RAM).
---

I read this as 'the iptables command has only been added to non-wireless routers with at least 4/16'

Is that incorrect ? Did you actually only mean that 'the 2/8 versions have the TCPMSS feature of iptables missing' ?

Do I have to read the source and the build rules to find out which features of iptables made it into which build ? I think the 'just try it' option is too expensive, as someone is actually still using the Safecom with its stock firmware !
fastpath
Novice
Novice
Posts: 21
Joined: Sat Sep 09, 2006 2:16 am

Re: port mirroring possible ?

Post by fastpath » Tue Jul 23, 2013 2:25 pm

I've examined the source now.

The TEE target source should be in the src/iptables/extensions folder ; all the other targets are there -
as libipt_<TARGET_NAME>.c - it isn't.

TEE appears in 2.6.35 kernel or later and iptables v1.4.8 or later, so no chance here.

I thought I could do the same thing with the -j ROUTE target by seeing if its patchable --tee option was present
in the patch-o-matic folder, but I can't find that either.

How do we, as home tinkerers, do LAN testing (e.g. with wireshark) _without_ port mirroring in our 4-port router switches ?
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: port mirroring possible ?

Post by thechief » Thu Jul 25, 2013 6:44 am

fastpath wrote:How do we, as home tinkerers, do LAN testing (e.g. with wireshark) _without_ port mirroring in our 4-port router switches ?
Sorry, but I have no idea what you're talking about. I have run wireshark many times for all sorts of things, so I am not sure what the issue with port mirroring is (or even what it is).
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
fastpath
Novice
Novice
Posts: 21
Joined: Sat Sep 09, 2006 2:16 am

Re: port mirroring possible ?

Post by fastpath » Fri Jul 26, 2013 7:45 pm

OK.

If I have a laptop running Wireshark on port 1 of a 4-port router switch, it won't see any of the traffic passing through ports 2,3 & 4 that isn't addressed to it ( which none of it will be), surely ? So how does it monitor anything ?

Port mirroring takes all packets passing through designated ports on a switch, clones them and routes the copies either to a specific port on the switch, or, in the case of iptables TEE target, sends them out of the port where its MAC table says the listening IP corresponding to the --gateway argument is.

Managed switches invariably have port mirroing configurable via their EWS.

I have been asked to diagnose high latencies in someone's small LAN. I wanted to use Wireshark to inspect for high retransmits and the like.

Anyway, I managed to squeeze OpenWrt 12.09 onto another router box I had. That has iptables 1.4.10 and kernel 3.3.8, so adding the TEE modules I needed with opkg was a piece of cake.
Post Reply