Need help mirroring traffic from wlan to lan monitor

Hello everyone. First time poster on here. I am a competent linux user (although not a power user by any stretch) so I am comfortable with the command line and SSH to a point, however I am relatively new to the more advanced workings of routers and switches. That being said, I have gotten pretty much everything set up the way I want it except one thing.

I have a RPI3 hooked up to LAN port 4 running a specialized packet monitoring software. I have a single laptop connected via WLAN that is only device I want to monitor the packets to and from. The problem I am having is mirroring the traffic to and from just this one device to the RPI3. I tried using iptables at first with mixed results, and from further reading and on some advice I got elsewhere I decided that making the firewall pull double duty like this might not be the best route.

I have read enough to see the solution may lie with a VLAN and port mirroring, but all examples that I see seem to revolve around wireshark which I do not have and don't really need. They also seem to revolve either around routing ALL traffic from an interface, or using iptables. The use I have is very narrow and only involves traffic to and from the one device, and the really only a narrow subset of that traffic. The software I have is capable of just dealing with the portion I need so I just have to to get the traffic to it. Quite frankly I am feeling a bit overwhelmed trying to sift out the information that is useful to my needs.

I am currently running OpenWrt SNAPSHOT r10913-7b137e9df9 on a WRT1900ACSv2 and using LuCI Master (git-19.241.65047-dffe9ca).

The RPI3 is at 192.168.1.a
The computer to be monitored is at 192;168.1.b

Maybe I am looking at things the wrong way to accomplish what I need. Any help is appreciated.

  1. statistically netflow type aggregation lends itself to forwarding... but mirroring is pretty intensive.... and usually the domain of enterprise switching hardware and specialised endpoints to handle that kind of volume.

  2. openwrt port mirroring if i am not mistaken, is a kind of little brother to the enterprise switch i mentioned above. to my knowledge, its best for grabbing a wired segment ( port ) and piping that out another port..... with the intention of that being to a specialised "filtering" host. this particular switch option.... i dont think relates to wifi ( within the switch hardware ) ... you could bind a bridge to a port to a wlan interface... but its layer 2... so you'd have to try and "hubmode" that switchport.....

Is monitoring of 802.11 frames important to you? I mean... if you discuss mirroring and wifi... your pretty much in the domain of kismet and a "monitoring" wlan card.... which is probably doable....

what kinds of static imports does your software support? does it not support direct 802.11 capture?

@anon50098793 I am mainly just interested in packet sniffing the traffic from the internet to one computer (PC on Wifi) in the network and from that computer in the network to the internet. I am looking for a way to mirror those raw data packets as they pass through the router over to another computer (Raspberry Pi 3B+) that is wired to LAN port 4 on my router. If the raw packets can be mirrored over as incoming packets to the Raspberry Pi, then the software I have can pick out any traffic in those packets that it is set up to analyze since the traffic I am interested analyzing comes from one particular program on the PC.

Using iptables would work, but it has been suggested that this is a bad idea as it is making the firewall pull double duty.

I hope this clarifies some of what I am needing to do. I am ashamed to admit that most of what you were saying was a little hard for me to follow. I can tell that I will have to do a lot of research and learning to be up to your speed on things.

Get an antenna which driver support monitor mode and just grab the traffic from the air ?

@Pippo Thank you for the reply.:smiley:

Unfortunately due to my home's construction, and the nature of my network, and the fact that the PC to be monitored is a laptop that can be anywhere on my property when connected to the network, this is not a viable solution. This is why I am looking for a way to mirror the packets through the router since no matter where the PC is on the property it will be connected to the network even if not in range of the Raspberry Pi's wifi antenna.

I think at this point I am resigned to using iptables to do the job unless someone can suggest a more elegant solution. However I am having trouble with even getting this to work at this point.

What I have done so far:

  1. Installed iptables-mod-tee

  2. Verified the install with: opkg list-installed | grep mod-tee

  3. Tried to load it with modprobe xt_TEE which replied that it was already loaded

  4. I added the following entries to my /etc/firewall.user(192.168.1.a is the ip of the PC, and 192.168.1.b is the ip of the Raspberry Pi):

    iptables -t mangle -A PREROUTING -d 192.168.1.a -j TEE --gateway 192.168.1.b
    iptables -t mangle -A POSTROUTING -d 192.168.1.a -j TEE --gateway 192.168.1.b
    iptables -t mangle -A PREROUTING -s 192.168.1.a -j TEE --gateway 192.168.1.b
    iptables -t mangle -A POSTROUTING -s 102.168.1.a -j TEE --gateway 192.168.1.b
  5. I restarted my firewall

  6. Upon starting up the monitoring software on the Raspberry Pi and creating the desired traffic on the PC I see no confirmation that packets are being recieved by the Pi.

It is entirely possible that my firewall.user commands are flawed and therefore not running, or that they are flawed and just not doing what I expected. It is also possible that there is another setting on the router that blocks these rules from performing they way they should. I just don't know. Other than the iptables and the normal setup of wifi nothing has been tinkered with on the router so everything else should be default at this point.

On the other hand, if all of that should be correct, and no default settings should prevent it, then I will have to look at the setup on the Raspberry Pi to make sure nothing there is out of sorts.

Any insight is certainly welcome.

There’s several reasons why so many applications like this run tcpdump (or similar) on the interface.You’ll likely need to tunnel it over ssh with keys to your remote machine.

Also important to remember that 802.11 frames aren’t Ethernet frames. While the payload might be the same, the headers aren’t.

Edit You could also run tcpdump or Wireshark on the laptop.