0

For debugging reasons i need to see what network traffic especially TCP is transmitted or not.

I thought about using an Endian firewall for this, but it doesn't support 2 network interfaces with the same IP range.

I am looking for a Linux solution which I can plug between the two switches in order to monitor all traffic passing by.

What I found out so far is that I am probably searching for a "transparent firewall" solution.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Dukeatcoding
  • 149
  • 1
  • 9

3 Answers3

2

The best option for me would be to put a network tap between the switches. You can however put a Linux box with 2 interfaces and set it up as a bridge.

# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# brctl setageing br0 0
# ip link set dev br0 up promisc on

Then you can look at the traffic traversing the bridge using tcpdump as usual.

# tcpdump -i br0
Spack
  • 1,604
  • 15
  • 22
  • that sounds intersting can i use tcpdump after that to see the traffic going through ? – Dukeatcoding Apr 22 '13 at 12:48
  • Yes you can, `tcpdump -i br0`. – Spack Apr 22 '13 at 12:51
  • i am reading to brctl man right now looks intersting, if i read your code i get: 1. Setup broadcast 2. add eth0 3. add eth1 , what to the last 2 lines do ? – Dukeatcoding Apr 22 '13 at 12:52
  • Ageing is the bridge ability to remember of which port as been seen a MAC address. The command prevents deletion and have faster forwarding. It is not mandatory however. The last command is just to bring the bridge up, `promisc on` asks to the kernel to look at every frame even if it is not for the bridge (MAC address) so you can monitor all the traffic. – Spack Apr 22 '13 at 13:00
  • ok nice, i am preparing an ubuntu system atm and try it – Dukeatcoding Apr 22 '13 at 13:01
  • seems to work but i dont see logs when i am browsing on the mac mini, with tcpdump, only some other network logs like openvpn – Dukeatcoding Apr 22 '13 at 13:11
  • tcpdump -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' -i br0 looks promessing – Dukeatcoding Apr 22 '13 at 13:15
1

From your post I understand that:

  • One of the two switch is a Cisco switch.
  • You only want to monitor traffic between the two switches. Not including traffic from the non-Cisco switch to other destinations.

In this case, connect a machine, linux or otherwise, to your Cisco switch. On the Cisco switch configure port-mirror to copy all packets to the port where your machine is.

On your machine, use tcpdump, wireshark or anything like that.

It does not require a Cisco switch to do that, but any managed switch which has the port monitoring feature.

ETL
  • 6,513
  • 1
  • 28
  • 48
0

If its only about monitoring and not filtering a passive network tap device would work.

https://en.wikipedia.org/wiki/Network_tap

http://www.altsec.info/passive-network-tap.html

rhasti
  • 497
  • 3
  • 9