Sniff network with the Pi

Dsa-ports seem not supporting promiscuous mode…only traffic targeting r2 can be captured…all other (going through br0) are not shown

1 Like

Unfortunately, it still does not work work.

It can not be that hard to create a dump. I just tested it with a server. Works (as expected) wonderful.

I guess its only a “setting” missing in dsa-driver

maybe it’s only a flag that needs to br handled…

Okay. So what have i to do now? ^^

@Ryder.Lee @moore can you help here getting promiscuous mode working on dsa-ports?

i see some messages in my bootlogs

[   12.431431] device lan1 entered promiscuous mode                                                                                   
[   12.431439] device eth0 entered promiscuous mode                                                                                   
[   12.689326] device lan2 entered promiscuous mode 

but i guess it is not really set in switch (mt7530)

Did you tey to use below command to enable promiscuous mode?

#ifconfig br0 promisc #ip link set br0 promisc on

Hi,

i have tried your suggestion but it seems like it does not help …

imho tcpdump always try to set the device which listens on automaticly to promiscuous mode (except if -p is set). i guess mode is set in software, but not set in hardware, because it is not handled in driver (mt7530.c)

is it right to set promiscuous mode to br0 and not to the incoming dsa-port? i only used this for catching hw-ports but not in combination with sw-bridges.

Someone an idea? I need this as soon as possible …

https://lore.kernel.org/patchwork/patch/983190/

I guess that it causes the issue

So change to the latest user-land tools

Which tools do you mean for update? Bridge-utils iproute2

Imho users should use actual tools provided by distibution and not need to self compile them. Can we/simply revert this patch?

Is 4.14 and 4.19 affected? I did not find this commit-message in stable git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/log/?h=linux-4.19.y&qt=grep&q=Expose+tagging+protocol

at least 4.14 and 4.19 does not contain this patch (found no tagging_show function in net/dsa/slave.c)

Hello,

I’m using firewalld on the BPI-R2 device and it requires ebtables module and it seems is not compiled into the kernel. I’m using version 4.19.26

ERROR: ‘/usr/sbin/ebtables-restore --noflush’ failed: modprobe: FATAL: Module ebtables not found in directory /lib/modules/4.19.26-bpi-r2-main

ebtables is not for packet-sniffing, so off-topic here…i have added ebtables support in my repo so next travis build should work

https://travis-ci.com/frank-w/BPI-R2-4.14/jobs/183424253

Sorry I was searching for some thread related to ebtables module so I found this. Thanks for updating the kernel image.

solution from @moore : maybe this (define vlan for each dsa-port and the cpu-port) can be used to sniff traffic on the bridge:

ifconfig eth0 up
ifconfig lan1 up
ifconfig lan0 up
brctl addbr br0
brctl addif br0 lan1
brctl addif br0 lan0
vconfig add br0 10
ifconfig br0 up
ifconfig br0.10 10.10.10.254 netmask 255.255.255.0
echo 1 > /sys/class/net/br0/bridge/vlan_filtering
echo 1 > /sys/class/net/br0/bridge/vlan_stats_enabled
bridge vlan show
bridge vlan add dev lan0 vid 10 # define vlan10 for lan0
bridge vlan add dev br0 vid 10 self
bridge vlan show

if you are using ip instead ifconfig (shortened only as example):

ip link set eth0 up
ip link add link br0 name br0.10 type vlan id 10
ip addr add 10.10.10.254/24 dev br0.10

have not tried it yet, because i have no bridge on my device and currently not much freetime. if i understand it right, you can let tcpdump listen to br0.10 to get lan0-traffic

Sorry Frank

This doesn’t work for me also. The “bridge vlan add dev lan0 vid 10” turns off the bridge.

I use 5.4.58-bpi-r2-main kernel.

Thank you Frank again for your great work for the community.

Can you try 5.10/5.11 kernel? There was some work on the vlan awareness of bridges,maybe it works now.

Did you finaly solve it? I’m in the same situation. I’m really frustrated, due I’m unable to reach a solution with bridging… Im’ going to test it at old style, with ARP Proxy, but I really know that is is not the best choice.

Hello, How to access switch registers ? is there an application or an easy way to do this using command line ?

There is a userspace tool called devmem2. Afair you need CONFIG_DEVKMEM option to get /dev/kmem to work on it. Imho it should not be used in productive environments as it gives full access to memory and is potential security hole