this is probably a non-LEDE-related question, but I decided to ask this question here: is there a way to mirror wireless traffic to an ethernet port?
Background: currently I am into VOIP. And try to learn about proper configuration, try to pentest my internal asterisk configuration using wireshark, kali and my LEDE router as the central unit on which asterisk is running. And I want to monitor my complete network traffic.
Tried: use the mirror option in switch configuration (cpu -> free LAN port), but found out, that except broadcasts only wired traffic is mirrored. I suspect this being a general networking problem (wireless traffic is not controlled by the switch, although VLANs are defined here). Conveniently this also monitors my WAN traffic, but I didn't find an easy way to monitor WLAN-only devices like smartphones and such. Possible solution would be: turn off internal wireless AP and use an external AP and connect it via trunk to one of the LAN ports (I use more than one VLAN for wireless).
Also tried to use wireshark in promiscuous mode, but found out, that none of my wireless client adapters seem to support this mode.
Is there an easy way to internally route wireless traffic through the internal switch, besides using two LAN ports, configure them properly and use an external cable to connect them? There are no free ports left for this in my current configuration besides the mirror port I use for monitoring.
@weedy: many thanx - seems I used the wrong search terms in the past, now found what I 've been looking for. Also seems I need to dig a bit deeper into iptables (as already suspected ).
@Knomax: thank you, too. A bit less of use for me, as I need visible live monitoring, not offline analysis. But an interesting option I haven't come across before (there are so many packets out there )
@Knomax: interesting, too! But of not much use here, as I try to trace SIP, RTP and STUN (VOIP). Target is to learn about proper VOIP configuration and especially ensure I cannot get hacked before I actually put asterisk13 online (asterisk, firewall, routing). Have read lots of stories about unsafe asterisk configurations and people's VOIP accounts having been abused. This is already a huge lot of stuff I now have to learn. But absolutely makes fun to learn as LEDE runs rock-solid (except PJSIP which I haven't managed to get running, so for now I use the older SIP module)
edit: quite interesting to see how often sipvicious-scripts try to analyze my configuration. A huge botnet seems to be out there trying to abuse any unsafe VOIP servers. Let's see if I can configure some honeypot on my LEDE device which could be fun
I am looking for a similar solution for security and training purpose:
I will not use cshark as it is cloud shark capture. I don't think companies would agree to send capture information on the web. At least not in France!
Currently, I use a switch and a small LEDE device:
a LEDE device to sniff network, configured with 2 ports, one for ssh access, the other to sniff network (no configuration).
port mirroring on my switch to mirror all ports 1 to 8 to port 10, except the switch management port and LEDE device used to sniff network.
eth2 port on the LEDE device is connected to port 10 using wired cable.
Then I run tcpdump to dump sessions, example: tcpdump -vv -i eth2 -XX port http
i don't know how to use wireshark using a remote ssh session.
Also, my switch is only IPv4 capable, so I loose all IPv6 features. I think it would be nice to develop a luci app to mirror selected ports to a pipe or a remote address. Something like cshark, but with local control and a solution using wireshark. Do you have any idea how this would look?
port-mirroring is an OpenWrt package that sends copies of network packets from your OpenWrt router to another device on your network or beyond, giving you the ability to monitor and analyze network traffic without additional hardware. Intrusion detection systems, network application debugging, and network performance monitoring are common use cases. This is a continuation of the work started by Bruce Geng at https://code.google.com/p/port-mirroring/.
).
