I'm using OpenWrt 18.06.1 for a while, to connect 2 physical network through TL-WR741 Wifi.
I want to see the communication between boards and their server.
So I plan to configure "switch0" (AR7240/AR9330 built-in switch) with : Mirror source port on LAN 1 Mirror monitor port on LAN 3
Mirroring puts the selected packets out on the monitor port. Since they are addressed to a specific MAC address, they are not "seen" by any other device (broadcast MACs an exception), nor are they routed.
Running tcpdump, or the like, over ssh or other encapsulation is a common way to accomplish your goal.
Please look if the ethernet interface is in promiscuous mode.
Normally, network interfaces supply to the host only:
packets sent to one of that host’s link-layer addresses;
broadcast packets;
multicast packets sent to a multicast address that the host has configured the interface to accept.
Most network interfaces can also be put in "promiscuous" mode, in which they supply to the host all network packets they see. Wireshark will try to put the interface on which it’s capturing into promiscuous mode unless the "Capture packets in promiscuous mode" option is turned off in the "Capture Options" dialog box, and TShark will try to put the interface on which it’s capturing into promiscuous mode unless the -p option was specified. However, some network interfaces don’t support promiscuous mode, and some OSes might not allow interfaces to be put into promiscuous mode. Source: https://www.wireshark.org/faq.html#promiscsniff
Did you miss that promiscuous mode is for packet receipt? Any intermediate switch or router will fail to forward Ethernet packets that are not addressed to the target. Basic Layer 2 Ethernet behavior. You need to encapsulate to reach anything past the end of the cable, or chain a series of monitor ports.
I though that you break the port learning of the switch by enabling mirro rx/tx?
Since his server is behind the WDS and he enables it on the 192.168.1.1 all traffic to the server will go to the wireshark pc?
And then u need promiscuous of your interface. Otherwise, the interface will throw away the unicast mac traffic that is not addressed with the wireshark pc's mac?
But acutally, I'm not that sure, if my assumptions are correct...
Hello Jeff,
I put all the interfaces in promiscuous mode on Wireshark.
When I do telnet to the boards from PC.83 I can see the frames going in and out.
As the WR741 act as a router, for me it's normal that I can't see the frames going directly from server to boards; That's why I want to turn on the WR741 port mirroring.
