Sniff network with the Pi

frank-w · January 21, 2019, 2:01pm

Dsa-ports seem not supporting promiscuous mode…only traffic targeting r2 can be captured…all other (going through br0) are not shown

Sessa45 · January 23, 2019, 10:13am

Unfortunately, it still does not work work.

It can not be that hard to create a dump. I just tested it with a server. Works (as expected) wonderful.

frank-w · January 23, 2019, 11:49am

I guess its only a “setting” missing in dsa-driver

maybe it’s only a flag that needs to br handled…

github.com

torvalds/linux/blob/master/net/bridge/br_if.c#L147


* under RTNL so can skip using rcu primitives.
*/
void br_manage_promisc(struct net_bridge *br)
{
	struct net_bridge_port *p;
	bool set_all = false;


	/* If vlan filtering is disabled or bridge interface is placed
	 * into promiscuous mode, place all ports in promiscuous mode.
	 */
	if ((br->dev->flags & IFF_PROMISC) || !br_vlan_enabled(br->dev))
		set_all = true;


	list_for_each_entry(p, &br->port_list, list) {
		if (set_all) {
			br_port_set_promisc(p);
		} else {
			/* If the number of auto-ports is <= 1, then all other
			 * ports will have their output configuration
			 * statically specified through fdbs.  Since ingress
			 * on the auto-port becomes forwarding/egress to other

Sessa45 · January 23, 2019, 12:47pm

Okay. So what have i to do now? ^^

frank-w · January 23, 2019, 2:14pm

@Ryder.Lee @moore can you help here getting promiscuous mode working on dsa-ports?

i see some messages in my bootlogs

[   12.431431] device lan1 entered promiscuous mode                                                                                   
[   12.431439] device eth0 entered promiscuous mode                                                                                   
[   12.689326] device lan2 entered promiscuous mode

but i guess it is not really set in switch (mt7530)

moore · January 23, 2019, 11:56pm

Did you tey to use below command to enable promiscuous mode?

#ifconfig br0 promisc #ip link set br0 promisc on

Sessa45 · January 24, 2019, 12:33pm

Hi,

i have tried your suggestion but it seems like it does not help …

frank-w · January 24, 2019, 1:57pm

imho tcpdump always try to set the device which listens on automaticly to promiscuous mode (except if -p is set). i guess mode is set in software, but not set in hardware, because it is not handled in driver (mt7530.c)

is it right to set promiscuous mode to br0 and not to the incoming dsa-port? i only used this for catching hw-ports but not in combination with sw-bridges.

Sessa45 · January 25, 2019, 12:27pm

Someone an idea? I need this as soon as possible …

linkerosa · February 24, 2019, 7:32am

https://lore.kernel.org/patchwork/patch/983190/

I guess that it causes the issue

So change to the latest user-land tools

frank-w · February 24, 2019, 8:11am

Which tools do you mean for update? Bridge-utils iproute2

Imho users should use actual tools provided by distibution and not need to self compile them. Can we/simply revert this patch?

Is 4.14 and 4.19 affected? I did not find this commit-message in stable git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/log/?h=linux-4.19.y&qt=grep&q=Expose+tagging+protocol

at least 4.14 and 4.19 does not contain this patch (found no tagging_show function in net/dsa/slave.c)

cioby23 · March 8, 2019, 8:18am

Hello,

I’m using firewalld on the BPI-R2 device and it requires ebtables module and it seems is not compiled into the kernel. I’m using version 4.19.26

ERROR: ‘/usr/sbin/ebtables-restore --noflush’ failed: modprobe: FATAL: Module ebtables not found in directory /lib/modules/4.19.26-bpi-r2-main

frank-w · March 8, 2019, 4:37pm

ebtables is not for packet-sniffing, so off-topic here…i have added ebtables support in my repo so next travis build should work

https://travis-ci.com/frank-w/BPI-R2-4.14/jobs/183424253

cioby23 · March 8, 2019, 5:26pm

Sorry I was searching for some thread related to ebtables module so I found this. Thanks for updating the kernel image.

frank-w · April 5, 2019, 1:33pm

solution from @moore : maybe this (define vlan for each dsa-port and the cpu-port) can be used to sniff traffic on the bridge:

ifconfig eth0 up
ifconfig lan1 up
ifconfig lan0 up
brctl addbr br0
brctl addif br0 lan1
brctl addif br0 lan0
vconfig add br0 10
ifconfig br0 up
ifconfig br0.10 10.10.10.254 netmask 255.255.255.0
echo 1 > /sys/class/net/br0/bridge/vlan_filtering
echo 1 > /sys/class/net/br0/bridge/vlan_stats_enabled
bridge vlan show
bridge vlan add dev lan0 vid 10 # define vlan10 for lan0
bridge vlan add dev br0 vid 10 self
bridge vlan show

if you are using ip instead ifconfig (shortened only as example):

ip link set eth0 up
ip link add link br0 name br0.10 type vlan id 10
ip addr add 10.10.10.254/24 dev br0.10

have not tried it yet, because i have no bridge on my device and currently not much freetime. if i understand it right, you can let tcpdump listen to br0.10 to get lan0-traffic

jacekh · February 19, 2021, 9:37am

Sorry Frank

This doesn’t work for me also. The “bridge vlan add dev lan0 vid 10” turns off the bridge.

I use 5.4.58-bpi-r2-main kernel.

Thank you Frank again for your great work for the community.

frank-w · February 19, 2021, 12:51pm

Can you try 5.10/5.11 kernel? There was some work on the vlan awareness of bridges,maybe it works now.

xavier-amill · November 19, 2021, 1:13pm

Did you finaly solve it? I’m in the same situation. I’m really frustrated, due I’m unable to reach a solution with bridging… Im’ going to test it at old style, with ARP Proxy, but I really know that is is not the best choice.

lalmi · January 19, 2024, 9:22am

Hello, How to access switch registers ? is there an application or an easy way to do this using command line ?

frank-w · January 19, 2024, 8:09pm

There is a userspace tool called devmem2. Afair you need CONFIG_DEVKMEM option to get /dev/kmem to work on it. Imho it should not be used in productive environments as it gives full access to memory and is potential security hole