The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Hi all,
I'm not sure how or if it is possible to do what i'm trying to... basically i'd like to be able to "mirror" all the traffic that goes through br0 to another interface (either an IP tunnel or a seperate VLAN). Is it possible to do this ? My aim is to be able to use more advanced sniffing tools than the opens available directly on the router.
Regards,
John Gillespie
just in case you don't understand what i'm trying to acheive here is the cisco version of it :
I have had a look on google and there have been many topics opened on differents forums for this without a proper answer ever having been given.... can someone please take the time to answer ? If it isn't possible just say so.
Regards,
John Gillespie
up !
Not sure this is exactly what you are looking for, but here is a firmware built on OpenWRT that has snort in it.
http://packetprotector.org/
thanks for the answer but thats not what i need 
Try wireshark
you don't seem to understand what i want ... I know what tools to use to sniff the traffic. what i don't know is how to set up port mirroring. If you don't know what it is please read this : http://www.cisco.com/warp/public/473/41.html
Perhaps the confusion is in the title die to the word 'sniffing'. Apparently that's what you want to do in the end but it is not the subject of your question.
My understanding is that the bridge itself is doing what you want already, i.e. on a router with 4 + 1 ethernet connections and the standard lan (4) + wan(1) setup all traffic passing the bridge is visible on all four outputs.
So if you connect another router to that lan<>lan and with as default wan gateway of that second router wherever you do want to do your sniffing you can watch the traffic as you like. Make sure using iptables that whatever return traffic would be generated by this 'parallel' machine gets dropped so it seemingly isn't there.
Have never tried this, so it's just a line of thought and my nderstanding of what the bridge does may be wrong.
-snort
-tcpdump
-ettercap
(Last edited by jimmyridge on 24 Feb 2008, 16:33)
The discussion might have continued from here.