Hi guys,
I try to sniff a Network.
I need to dump a network between firewall and LAN. So i must plugin the banana pi with one interface into the firewall and with one interface to the LAN. Which Interfaces must i take for this? How have i to configure the Pi?
Thanks!
You use kernel 4.4.x from official image? Then connect wan to firewall (same ip-net) and any of lan-ports to your lan (other subnet but same as lan-clients), configure forwardind and run tcpdump on lan or wan…
You have to change your client to use r2 as gateway and your r2 to route packets to firewall (default gateway).
If you havr a managed switch, you can sniff over a mirror-port
Understood! Is it not possible to sniff without make changes on the clients? So when i have 20 and more clients it could be very much to change.
You can use dhcp…
Install dhcp-server on r2 for your clients…more info in my wiki. www.fw-web.de/dokuwiki
Unfortunately, this is no solution in my case. I need to use the Pi as a simple Switch. Just the thing, that i sniff the traffic.
I don’t know if r2’s lan-ports can do port-mirroring…
But your switch before will not send traffic to r2 if ot’s npt defined to go through it
for example:
|----firewall------(port0)BPI-R2
|-----(port1)--------LAN
|-----(port2)--------Monitor PC (Run wireshark)
Notes: port0=0x2004, port1=0x2104, port2=0x2204, port3=0x2304, port4=0x2404 bit9=Port Tx Mirror enable, bit8=Port Rx Mirror enable
I’m sorry i do not understand what you mean. Can i not just create a bridge with the /etc/network/interface config and start sniffing?
Where can we set these options? Only in kernel 4.4 or also in 4.14+?
is port0 lan0 or wan? Your picture requires also forwarding if port0=wan,but if using only switch-chip firewall can be connected to lanpport
WAN is not pluged in. Only the cable to the firewall and on the other side the cable to the LAN.
please use mt7530_write() in mt7530.c to modify switch register to enable port mirror https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/drivers/net/dsa/mt7530.c?h=next-20190116
Yes, firewall should be connected to LAN port and I just give an example. 
Is there a way to do this from outside the kernel?
struct mt7530_priv *priv = ds->priv;
mt7530_write(priv, reg, val);
what is switch-register and how to interpret your syntax?
If i understand it right,wan should be port0 (1=lan0,…): https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts?h=next-20190116#n161
First is register followed by bits to set in brackets?
So enable portmirroring on port 2 by setting bit 2 (begin on 1 or 0?) on register 0x10? Second step seems then set 3rd bit (port 3) instead of global enable mirroring
is there a interface to sysfs/debugfs, where i can add this commands to make it reachable from userspace?
I still do not understand this. Why have i to configure so much? I only want to sniff on one interface with tcpdump.
I have tried this here but unfortunately, the bridge can not be created…
Is there no easy solution to sniff the traffic? I only need the functionality from a simple not managed switch with an interface i can sniff.
A switch sends packets only to mac-adresses to which frames are adressed…other devices don’t get the packets. You have to workaround this to catch packets
I think of another solution without enabling switch port mirror…
finally, we can use tcpdump to monitor the traffic…
Right. I have tested it but the br0 (bridged interface) came not up. My /etc/network/interface file looks like:
auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
auto br0 iface br0 inet dhcp bridge_ports eth0 eth1
can you try to bring bridge manually up?
look at “ip a” if eth0 and eth1 are up before and after
I have tried to create a simple bridge between eth0 and eth1. When i run the command to create the bridge, i get an error:
brctl addbr br0 -> Add bridge failed: Package not installed
I have already installed bridge-utils.