Setting up a network tap

I have security onion installed on Linux VM on a computer that I have set aside specifically for security monitoring and want to set up a network tap out of my OpenWrt router because setting up a SPAN/traffic mirroring is not working. I have read several tutorials and this indicates I need to set up a VLAN through one of the ethernet ports on router -

This is what configuration looks like now on the router panel -

So do I need to tag one of the ethernet ports? If so, doing what exactly? And how should I edit the "Switch" section of /etc/config/network? I did not see any posts in the forum on this subject prior so am interested in any recommendations on this....

Well, it isn't. The picture is trimmed. It doesn't show the existing VLANs you already have (normally hat should be one for LAN and one for WAN).

I'm not sure if you need it tagged or untagged, but thnik it should be untagged. Anyway, what you need to do is that in the switch page, for the LAN VLAN (typically VLAN 1, the first line in the switch configuration panel, you turn a LAN port off (you choose off form the drop down menu).

Then you add a third VLAN (let's call it VLAN 3). You set CPU to tagged, and the LAN port you turned off for VLAN 1, you set it to untagged.

As for the /etc/config/network, if you do the configuration in the GUI, it will update the file.

1 Like

A switch isn't going to work as a "network tap" in its normal mode, as it will only forward packets to the interfaces where it knows the destination MAC address to be. VLANs don't change this.

Some switches support port mirroring, which is what you need to "tap" traffic on one port to a different port. For those switches, assuming the driver also supports it, it can be configured through swconfig.

From a different switch from yours

root@office:/home/jeff# swconfig dev switch0 help
switch0: mdio-bus.0(Atheros AR8327), ports: 7 (cpu @ 0), vlans: 128
	Attribute 1 (int): enable_vlan (Enable VLAN mode)
	Attribute 2 (none): reset_mibs (Reset all MIB counters)
	Attribute 3 (int): enable_mirror_rx (Enable mirroring of RX packets)
	Attribute 4 (int): enable_mirror_tx (Enable mirroring of TX packets)
	Attribute 5 (int): mirror_monitor_port (Mirror monitor port)
	Attribute 6 (int): mirror_source_port (Mirror source port)
	Attribute 7 (int): arl_age_time (ARL age time (secs))
	Attribute 8 (string): arl_table (Get ARL table)
	Attribute 9 (none): flush_arl_table (Flush ARL table)
	Attribute 10 (int): igmp_snooping (Enable IGMP Snooping)
	Attribute 11 (int): igmp_v3 (Enable IGMPv3 support)
	Attribute 12 (none): apply (Activate changes in the hardware)
	Attribute 13 (none): reset (Reset the switch)

apologies this is what it looks like

So I need to add a new VLAN interface here @Hegabo and then modify on the switch page?

Likely you will need to remove your “monitor” port from all VLANs and then use a script or command-line configuration to set up the monitor, if I understand your goal correctly.

1 Like

For VLANs in general, you do it in the GUI, the config file or the terminal. All do the same thing.

I don't know about network tap though or how it should be done. So you better follow @jeff's advice.

1 Like

I'm going back through documentation and forgive me for being a noob - what would you recommend doing to accomplish this? And this is a prerec to creating a new VLAN specifically for the tap?

Again, no creation of VLANs involved.

You need to decide which port you want the traffic to appear on, and which single port you want to monitor. Let's say that you want to monitor port 1 and have the packets appear on port 4.

  • Remove all references to port 4 in your switch config
  • Manually, or by a script
    • Set mirror_monitor_port to be 4
    • Set mirror_source_port to be 1
    • Set enable_mirror_rx
    • Set enable_mirror_tx

I don't run LuCI, but it would surprise me if port-mirroring options were present. This means command-line configuration. OK, I'm surprised!!


It's there:



so I have a an ethernet cable plugged into Port 2, so I assume this is the port I want traffic to appear on - or is this to monitor? I want to plug the cable then into a laptop running a security onion VM

Does this look properly configured? Again sorry for my noobishness, I'm trying to figure out how to configure properly from GUI

What port mirroring does it to take every packet (or just received or transmitted, if so configured) and make them appear on another "monitor" port. You can then hook up a "packet sniffer" to that monitor port and see all the packets that went in/out of the "source" port.

Usually, you don't want the monitor port to be a member of any VLAN ("off"), and most stand-alone switch prohibit a monitor port from being associated with any VLANs.

From your screenshot, you don't appear to have mirroring options.

so it would be impossible to configure this router for a network tap? I have used it before for port mirroring via pre and post-routing rules in the firewall to a Raspberry Pi running an IDS

You might have been able to duplicate packets that reached the kernel, but that is very different than port mirroring/monitoring. It doesn't capture all the packets that simply enter the switch on one port and depart on another.