Sniff network with the Pi


Hi guys,

I try to sniff a Network.

I need to dump a network between firewall and LAN. So i must plugin the banana pi with one interface into the firewall and with one interface to the LAN. Which Interfaces must i take for this? How have i to configure the Pi?


(Frank W.) #2

You use kernel 4.4.x from official image? Then connect wan to firewall (same ip-net) and any of lan-ports to your lan (other subnet but same as lan-clients), configure forwardind and run tcpdump on lan or wan…

You have to change your client to use r2 as gateway and your r2 to route packets to firewall (default gateway).

If you havr a managed switch, you can sniff over a mirror-port


Understood! Is it not possible to sniff without make changes on the clients? So when i have 20 and more clients it could be very much to change.

(Frank W.) #4

You can use dhcp…

Install dhcp-server on r2 for your clients…more info in my wiki.


Unfortunately, this is no solution in my case. I need to use the Pi as a simple Switch. Just the thing, that i sniff the traffic.

(Frank W.) #6

I don’t know if r2’s lan-ports can do port-mirroring…

But your switch before will not send traffic to r2 if ot’s npt defined to go through it


I have no switch before. I show you what i mean:

(moore liu) #8

for example:

                               |-----(port2)--------Monitor PC (Run wireshark)
  1. set switch resgier offset 0x10[2:0]=0’b10 //monitor port=2
  2. set switch register offset 0x10[3]=0’b1 //enable port mirror
  3. set switch register offset 0x2004[9:8]=0’b11 //target port = port 0 tx&rx traffic
  4. set switch register offset 0x2104[9:8]=0’b11 //target port = port 1 tx&rx traffic

Notes: port0=0x2004, port1=0x2104, port2=0x2204, port3=0x2304, port4=0x2404 bit9=Port Tx Mirror enable, bit8=Port Rx Mirror enable


I’m sorry i do not understand what you mean. Can i not just create a bridge with the /etc/network/interface config and start sniffing?

(Frank W.) #10

Where can we set these options? Only in kernel 4.4 or also in 4.14+?

is port0 lan0 or wan? Your picture requires also forwarding if port0=wan,but if using only switch-chip firewall can be connected to lanpport


WAN is not pluged in. Only the cable to the firewall and on the other side the cable to the LAN.

(moore liu) #12

please use mt7530_write() in mt7530.c to modify switch register to enable port mirror

Yes, firewall should be connected to LAN port and I just give an example. :slight_smile:

(Frank W.) #13

Is there a way to do this from outside the kernel?

struct mt7530_priv *priv = ds->priv;
mt7530_write(priv, reg, val);

what is switch-register and how to interpret your syntax?

If i understand it right,wan should be port0 (1=lan0,…):

First is register followed by bits to set in brackets?

So enable portmirroring on port 2 by setting bit 2 (begin on 1 or 0?) on register 0x10? Second step seems then set 3rd bit (port 3) instead of global enable mirroring

is there a interface to sysfs/debugfs, where i can add this commands to make it reachable from userspace?


I still do not understand this. Why have i to configure so much? I only want to sniff on one interface with tcpdump.

I have tried this here but unfortunately, the bridge can not be created…

Is there no easy solution to sniff the traffic? I only need the functionality from a simple not managed switch with an interface i can sniff.

(Frank W.) #15

A switch sends packets only to mac-adresses to which frames are adressed…other devices don’t get the packets. You have to workaround this to catch packets

  1. Sending all packets to it by defining your sniffer as router…you have to use different subnets and route between
  2. Copy all packets to a mirror-port (ignore mac-address)

(moore liu) #16

I think of another solution without enabling switch port mirror…

  1. connect firewall to port0
  2. connect LAN to port 1
  3. add eth1 and eth0 into br0 interface, so LAN traffic between Port0 and Port1 will be forwarded by br0

finally, we can use tcpdump to monitor the traffic…


Right. I have tested it but the br0 (bridged interface) came not up. My /etc/network/interface file looks like:

auto lo

iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto br0 iface br0 inet dhcp bridge_ports eth0 eth1

(Frank W.) #18

can you try to bring bridge manually up?

look at “ip a” if eth0 and eth1 are up before and after


I have tried to create a simple bridge between eth0 and eth1. When i run the command to create the bridge, i get an error:

brctl addbr br0 -> Add bridge failed: Package not installed

I have already installed bridge-utils.

(Frank W.) #20

strange…try to reinstall it…