Sniff all traffic in bridge mode

xavier-amill · November 15, 2021, 6:38am

I’m unable to sniff all traffic passing by a bridge. I configured the bridge, between wan and lan0 , wich seems to be working properly, but I’m unable to capture the traffic passing by.
|Worstation| <----> | int wan | BPI R64 | int lan0 | <----> | End device | 192.168.1.42 192.168.1.170 192.168.1.10 Both ends reply correctly to ping from workstation ( 192.168.1.41 ) and the web aplication at end device is reachable from other side, so I assume, the bridge is properly configured. I’m able to capture traffic destinated or originated from my device ( 192.168.1.170 ), but no trafic to the end device ( 192.168.1.10 ) is captured. I’m using tcpdump for testing ( tcpdum -i br0 ) , but I also tried with a python’s script with scapy, with same negative result. I already tried to configere difent ports, set the ports to promisc mode at boot ( only lan ports, only bridge port, both… ) , also tried to configure vlans untagged , change diferent settings… At any scenario, the bridge was working but I was unable to capture all traffic. I’m using Frank’s image with Debian 10 with kernel 4.9, and now I’m triying his ones with kernel 5.10. Does you have any suggest whats happening?

frank-w · November 15, 2021, 6:51am

Afair we had a similar behavior on r2,is traffic working?

Maybe bridge is set in switch chip,so packets do not reach soc to get captured. Maybe you can sniff traffic on eth0?

xavier-amill · November 15, 2021, 6:56am

This is my currect /etc/network/interfaces config.

source /etc/network/interfaces.d/*

Network is managed by Network manager

auto lo iface lo inet loopback

#CPU ports setup auto eth0 iface eth0 inet manual pre-up ip link set $IFACE up post-down ip link set $IFACE down

auto eth1 iface eth1 inet manual pre-up ip link set $IFACE up post-down ip link set $IFACE down

#Switch ports setup auto wan iface wan inet manual pre-up ip link set $IFACE up #pre-up ip link set $IFACE promisc on post-down ip link set $IFACE down

auto lan0 iface lan0 inet manual pre-up ip link set $IFACE up #pre-up ip link set $IFACE promisc on post-down ip link set $IFACE down

auto lan1 iface lan1 inet manual pre-up ip link set $IFACE up #pre-up ip link set $IFACE promisc on post-down ip link set $IFACE down

auto lan2 iface lan2 inet manual pre-up ip link set $IFACE up #pre-up ip link set $IFACE promisc on post-down ip link set $IFACE down

auto lan3 iface lan3 inet manual pre-up ip link set $IFACE up #pre-up ip link set $IFACE promisc on post-down ip link set $IFACE down

#Bridge setup auto br0 iface br0 inet static # Create bridge interface pre-up ip link add name br0 type bridge pre-up ip link set $IFACE up #pre-up ip link set $IFACE promisc on # IP address setup address 192.168.1.170 netmask 255.255.255.0 gateway 192.168.1.1 # Port members bridge_ports lan0 lan1 lan2 lan3 bridge_stp no #bridge_maxwait 0 bridge_fd 5 post-down ip link set $IFACE down

@Frank , I tried " tcpdump -i eth0", aslo setting before in promisc mode, but without success.

frank-w · November 15, 2021, 7:12am

Have you enabled this? My image does not use it. If Network manager is active then normally /etc/network/interfaces is omitted.

I guess on eth0 only traffic is seen not mapped to any dsa port. No idea currently how to solve

xavier-amill · November 15, 2021, 7:31am

No, I’m not using Network Manager, but c&p probablycopies this comented line at my config file…

DeadMeat · November 16, 2021, 9:48am

Hi, I’m not sure if i 100% right, but i think after You bridged theese ports all traffic is passing through the HW bridge, that’s why you can’t sniff anything. I thing for you the solution might be pseudo bridge using : arp-proxy+enabled forwarding+per-port routing. (literally it’s ip-unnumbered) in this case all packets will be forwarded through cpu, and you can capture it.

xavier-amill · November 16, 2021, 11:04am

But , in this case, I would need to configure an ip to each bridged interface, is’nt it ? so it will not be fully transparent to use…

DeadMeat · November 16, 2021, 9:34pm

Not exactly, you would need to configure a route for each ip, for 192.168.0.0/24 network it should be something like this:

lo: add an additional ip - the gateway 192.168.0.1/32 (or/24 sorry I don’t remember, but likely /32.)

lan0(imagine a 192.168.0.10 host connected there): ip route add 192.168.0.10/32 dev lan0 lan1(host 192.168.0.20): ip route add 192.168.0.20/32 dev lan1 etc… You may add more than 1 ip (route) to a single interface if needed.

Then, you need to enable arp_proxy on these interfaces:

net.ipv4.conf.lan0.proxy_arp=1
net.ipv4.conf.lan1.proxy_arp=1

Also, forwarding should be enabled for all used interfaces.

It might be tricky to use it with DHCP enabled, as you’ll need to add a new route on every new host, and i’m not sure how to automate it.

But it works great for static IP.