I set out to figure out what all the wi-fi traffic was on my cell phone. It seems constant. Planned to use Wireshark on a desktop PC.
I loaded the latest OpenWrt squashfs image into a WNDR3700v1. That worked fine. Setting it up as a dumb AP took quite a while as the GUI instructions are well out of date. Had to recover several times since default IP is 192.168.1.1 and I wanted 198.162.0.2. Finally got there.
(Wasn't helped by the fact I constantly scramble up 192.168 and 198.162. Have done it for years. No clue why.)
All was working OK. Cellphone connected to 3700 radio and accessed the world through via main router and cable modem.
Installed "opkg install iptables-mod-tee" without issue.
Got to the point where I needed to do "iptables -A PREROUTING -t mangle -i br-lan ! -d <TEST_DEVICE_IP_ADDRESS> -j TEE --gateway <MONITORING_WORKSTATION_IP_ADDRESS>"
About half of the stuff on my network gets assigned fixed IPs based on MAC address. "<MONITORING_WORKSTATION_IP_ADDRESS>" is always 192.168.0.100.
Problem:
I can find "<TEST_DEVICE_IP_ADDRESS>" on the OpenWrt GUI and on the phone but it bears no resemblance to anything on the main router's DHCP assigned addresses table. Same with the MAC address. Ping on the PC finds the phone.
How do I make the OpenWrt dumb AP really dumb? All I need is a pipe between the radio and the main router that will allow the execution of the iptables-mod-tee package. Having the wired ports on the AP work in a similar manner would be nice but is not required.
A dumb AP bridges user traffic at layer 2, I don't think that can trigger anything in iptables. Indeed the dumb AP is unaware of the phone's IP address since that was assigned by the main router not the AP.
You probably want to NAT the phone through OpenWrt so it is seeing layer 3.
On some hardware, the Ethernet switch offers hardware "mirroring" at layer 1.
As mk24 mentioned, the iptables rule won't be triggered by Layer 2 traffic, because the ethernet frame is not directed toward the MAC of the dumb AP. The Layer 3 header would only be processed by netfilter if the destination MAC address is of the interface facing that L2 segment.
@MickeyLane: Another option is to do a remote packet capture and pipe it to wireshark:
It works best if you're using public keys so that you're not prompted for a password while wireshark is starting. This assumes you're capturing from the wired side. If you want to capture from another wireless client you'll need to add a filter to exclude ssh traffic from capture, otherwise it will cause a feedback loop.
This worked for me from a wired client (ubuntu) to log a wireless client of a dumb AP, but perhaps would avoid the feed back loop if using the same wireless interface.