Creating OpenWrt traffic sniffer with GL-AR150

Hello people! I am trying to setup a GL-AR150 router to act as transparent switch and also sniff traffic with cloudshark. I am trying to follow this article: https://www.qacafe.com/resources/2014-07-28-how-to-build-a-network-probe-in-openwrt/ but I have a hard time configuring the VLAN. I cannot find the VLAN section in /etc/config/network and I am not sure how to set up the sniffer interface :frowning: Please help!

Since there are only two Ethernet ports on this device, the first step is to start up a wifi AP on the lan network and log in by wifi. All administration and dumps of the monitored results will be by wifi.

This model is still swconfig, so the Ethernet switch is set up on the Network->Switch page or with config switch-vlan stanzas in /etc/config/network.

With this model though you don't have to concern with hardware switching since the wan port is a completely separate interface directly to the CPU bypassing the switch. The same chip is used in regular 4+1 port routers so there is a switch, but only one of the usual 4 LAN ports has any hardware connection on the AR150.

If you put the two eth ports eth0 and eth1 in a software bridge, packets will pass between them and can be monitored. The guide you posted from 2014 uses the old configuration paradigm where bridge mode is part of a config interface. The new way is for bridges to be created separately as a config device

config device
    option name 'br-sniffer'
    option type 'bridge'
    list ports 'eth0'
    list ports 'eth1.1'
config interface 'sniffer'
    option proto 'none'
    option device 'br-sniffer'

The eth ports need to be removed from all other networks (lan and wan). I think that the numbering is as I put above where eth1 has a VLAN number 1 (to support the degenerate path through the switch) and eth0 does not. Regardless, use the same numbers that you find in br-lan and wan.

If you want the router to be able to send or receive traffic on the network being sniffed, you can configure the sniffer interface with a proto and IP instead of none.

1 Like

Thank you so much for the clarification! I will try now and post the result :slight_smile:

I cannot figure this out :frowning: How should I setup the WAN and LAN interfaces so that another router connected to the lan port of the GL-AR150 uses the DHCP server of the main router, the one connected to the WAN port of the GL-AR150?

here's the config I tried:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5d:9b86:801a::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'wlan0'
        option ipaddr '192.168.9.1'

config device
        option name 'br-sniffer'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1.1'

config interface 'sniffer'
        option proto 'none'
        option device 'br-sniffer'

A pure sniffer doesn't interact with the network it is sniffing, so you won't have any Ethernet ports in wan or lan-- since there are only two Ethernet ports on the Gl-AR150. Indeed you could outright delete the wan network, since it won't be used. This use case would be better served with a device having more ports, so you can continue to have a wired LAN and/or WAN.

You could also put both ports in br-lan and use it as a lan device (like a dumb AP, but with the ability to sniff traffic connected to the other Ethernet port). In that case the lan proto would be static or DHCP client, and there would not be a sniffer bridge-- everything happens on lan.