Sniffing router traffic with openwrt

Hello,
i have a R7800 with plain Openwrt (23.05)
I'm trying to sniff the traffic of my new router towards the ONT, so on the switch i assigned 2 ports to a tagged vlan
basically, i'm doing a mitm between the router and the ont
the problem: stupidly i thought i could easily assign switch ports to the vlan and then tcpdump eth0.vlan
i was wrong. tcpdump does not sniff the device (it does not exist in ifconfig)
so i tried creating an interface "unmanaged", now i can tcpdump it but i see no traffic (while che router connection is up and running)
what am i doing wrong?
thanks

You need a software bridge between the lan port and the wan port of the r7800 as you need to force the traffic via the CPU to be able to capture it. Lan to lan traffic likely never leaves the switch... alternatively you can use 2 lan ports with different vlans and route between them on the CPU....

A simpler approach might be tp get a managed switch which offer port duplication?

hello, thanks for the feedback :slight_smile:
not sure i got what you said, would this be a correct setup? should i tag both "cpu"?

do you think "unmanaged" is the right config for the interface?
thanks

i also have some managed switches around, so let me understand: i dedicate 2 ports, tagged, for the mitm and then i mirror one of those (untagged?) to tcpdump it. but what would be the endpoint on the other side of the cable?
thanks

Not sure, I would look under the device tab on:
https://192.168.0.1/cgi-bin/luci/admin/network/network
and then create a new bridge device and add the two ports there...

No, if you have that bridge defined as say br-monitor you should be able to to capture via:
tcpdump -i br-monitor -U -s 128 -w my_capture_file
(see here for how to capture diectly to a different machine)
note that you should not try to capture on the routers flash memory...