I'm getting started with openwrt. I'd like to setup traffic mirroring for a particular IP on my network to send mirrored traffic to my PC.
I entered these commands:
iptables -t mangle -A PREROUTING -s 192.168.1.<x> -j TEE --gateway 192.168.1.<y>
iptables -t mangle -A POSTROUTING -d 192.168.1.<x> -j TEE --gateway 192.168.1.<y>
where <x> and <y> are the local addresses of the device I want to mirror and my PC, respectively.
I then turned on wireshark on my PC, generated traffic on device <x>, and expected to see packets between 192.168.1.<x> and various internet hosts. But all I see is local traffic, mostly ARP and ICMP and stuff like that. I also see lots of traffic that is generated by my local PC <y>, but I"m not interested in any of that.
the rule appears to be triggering, because I can see the packet/byte counters increasing:
root@DLink2640:~# iptables -t mangle -L -v | grep PRE -A 3
Chain PREROUTING (policy ACCEPT 803 packets, 133K bytes)
pkts bytes target prot opt in out source destination
56 9343 TEE all -- any any 192.168.1.<x> anywhere TEE gw:192.168.1.<y>
All the online advice seems pretty straightforward, so I can't figure out why it's not getting mirrored. What am I doing wrong?
Is there a way to TEE to a local file on the router so I can at least inspect what, precisely, is getting mirrored?