Capturing all internal wireless/wired traffic

alex-k · July 9, 2019, 11:40pm

hi Folks,

This is my first post, please excuse any missteps.

OpenWrt 18.06.2, kernel version 4.9.152, running on TP-LINK Archer C7 v4.

I would like to implement a method to monitor/capture all wireless and wired traffic on the router, including LAN wireless-to-wireless, wired-to-wired, wireless-to-wired, as well as WAN.

Setting up a mirror with source port "CPU(eth0)" does not capture wireless-to-wireless nor wired-to-wired LAN traffic (does capture wired-to-wireless and wired/wireless to WAN).

Also tried the iptables -TEE method but that doesn't show intra-switch wireless-to-wireless traffic:
iptables -t mangle -I PREROUTING -i br-lan -j TEE -gateway 192.168.0.10
iptables -t mangle -I POSTROUTING -0 br-lan -j TEE -gateway 192.168.0.10

However if I run tcpdump directly on OpenWrt and specify the "any" or "br-lan" interfaces, I can see wireless-to-wireless LAN traffic. I am not able to observe wired-to-wired traffic, presumably because this is being handled at the switch hardware level and not being pushed back up into the router OS.

As a compromise I'd be happy with being able to capture WAN, wired-to-wireless, and wireless-to-wireless, but NOT wired-to-wired (as I can do this on a downstream switch with a mirror port).

The iptables -TEE method appeared promising, but doesn't yield the promising results that tcpdump shows. I could pipe tcpdump to a netcat listener on another computer, or SSH in from another computer and and pipe tcpdump back out of the router, but both of those methods seem more complex and brittle.

I've reviewed this similar thread which covers many of the same approaches we have tried:

Anybody else have a solution for mirroring ALL east/west (internal) traffic? Any guidance would be greatly appreciated.

sincerely,
alex

lleachii · July 10, 2019, 12:09am

@alex-k, welcome to the community!

You are correct.

Then you'll have to port mirror and record the traffic, the only issue is that you can't get what you want without making/transferring a full copy of the data. You'll also need 1 port to receive for each port you wish to monitor.
Another option is to make a VLAN/Interface of each wired port (you can even bridge them - but this gets more complex), then you can use things like tcpdump and softflowd to collect the [meta] data on any and all interfaces you desire.

alex-k · July 10, 2019, 12:49am

Thanks @lleachii!

My wired clients can all be connected to a downstream 48-port switch with a mirror port setup, so I can drop my requirement to perform port mirroring on the OpenWrt router.

Any ideas on being able to observe wireless-to-wireless traffic? Seems odd that I can see this traffic when running tcpdump on the router's br-lan interface but can't see it when using the iptables -TEE method to send br-lan trafic to another host. I was hoping that I was just missing something obvious or needed to adjust my iptables syntax.

slh · July 10, 2019, 12:52am

Just to state the obvious, be aware that the Archer C7 can switch in hardware at (4+1+(1))*1 GBit/s linespeed, it can not route or intercept/ dump on the c7 (slightly different with a mirrored port and an external system used for dumping) at that speed (you will reduce your "switching" throughput to roughly 150 MBit/s alltogether, accumulated WAN, LAN and WLAN traffic).

alex-k · July 10, 2019, 12:55am

Thank you @slh. Good point, I'll keep that in mind..

I am guessing this would not explain why I can't get the iptables -TEE method working on the wireless-to-wireless side.

lleachii · July 10, 2019, 1:35am

...does it work if you use the phy of the WiFi (e.g. wlan0)?

alex-k · July 10, 2019, 2:13am

@lleachii -- no, but it does show that traffic if I run "tcpdump -i wlan0" directly on the router....so it doesn't seem to be hardware or chipset limitation ;( something about the iptables -TEE method is not working, or perhaps I've got an error in my syntax.

lleachii · July 10, 2019, 2:16am

Well...I've been looking for this...

Please show it to us.

Can you describe what you think the -TEE argument is supposed to perform in when running iptables?
Would it require perhaps...a module?

EDIT: correction, the -j TEE argument

alex-k · July 10, 2019, 2:36am

Yes, sorry I was not more clear, I am trying to use the modules iptables-mod-tee and kmod-ipt-tee as described here:

and here:

lleachii · July 10, 2019, 2:40am

WHOA...you are knowledgeable; but you are mixing abstraction layers...and DARPA/OSI ones too!!!

OK...

Pick ONLY ONE...do you want to capture this data at Layer 2 or Layer 3?

lleachii · July 10, 2019, 2:57am

Do you permit outbound traffic on that interface in your firewall settings?

alex-k · July 10, 2019, 6:55pm

My preference is layer 2 so we get the MAC info as well. At this point I am just trying to confirm there is no easy way to get a mirror of the wireless-to-wireless traffic. Appreciate all the help!

pierz · May 2, 2020, 3:45pm

I had a similar goal to the OP. Wasn't sure if it would help everyone but in my case I solved it by enabling mirroring on the switch with WAN -> LAN1 and changing the vlan settings for LAN1 so that it tagged VLAN2 and untagged VLAN1 traffic. Then I was able to see all traffic from the WAN port when I attached a device with a VLAN enabled Ethernet interface - on the untagged interface (e.g. eth0) I could connect to the device from the LAN, and I was able to monitor WAN traffic on vlan id 2 (e.g. eth0.2 - after setup e.g. sudo ip link add link eth0 name eth0.2 type vlan id 2)