How to force Linux bridge to output frame on multiple interfaces?












0















I have a Linksys E2500 router running Tomato v1.28 (Linux kernel 2.6.22.19, no USB drive capability) that is functioning in bridge mode to connect three interfaces:



root@TomatoE2500Host:/# brctl show

bridge name     bridge id               STP enabled     interfaces

br0             8000.586d8fb74454       no              eth1

                                                        eth2

                                                        vlan1



  • eth1 is the 2.4 Ghz wireless (access point mode - Xbox is only wireless host)

  • eth2 is the 5.0 Ghz wireless (client mode to main gateway router / other devices)

  • vlan1 is the 4x LAN ethernet ports (Windows 10 desktop is only wired host)


The bridge works fine for 'normal' purposes, but I am trying to use the Windows desktop running Wireshark to sniff packets being sent between the Xbox and the main gateway.



root@TomatoE2500Host:/# brctl showmacs br0

port no mac addr                is local?       ageing timer

  3     00:01:36:1f:e4:5c       yes                0.00

  2     4c:0b:be:3e:5b:2d       no                36.09

  1     58:6d:8f:b7:44:54       yes                0.00

  2     58:6d:8f:b7:44:56       yes                0.00

  3     68:37:e9:50:ce:f7       no               100.34

  3     6c:56:97:04:1e:3f       no               100.63

  3     a0:cc:2b:ad:46:d1       no               224.45

  3     b0:39:56:69:aa:eb       no                 1.02

  1     f4:6d:04:4f:9f:6a       no                 0.01


Understandably, frames/packets from the Xbox (4c:0b:be:3e:5b:2d) on eth1 (port 2) are only getting pushed to the gateway (b0:39:56:69:aa:eb) on eth2 (port 3) while the wired desktop (f4:6d:04:4f:9f:6a) on vlan1 (port 1) is getting left in the dark.



How do I force frames from the eth1 interface to be broadcast on vlan1 interface, in addition to the default/needed eth2?



It is as if I need a MAC Flooding attack on myself to force the bridge into broadcasting packets on multiple interfaces, instead of relying on its forwarding database (FDB) shown above. But there has to be a better way to enable this, right?






linux networking wireless-networking bridge sniffing







share|improve this question

























  • Simplest way is not to try to make the bridge do that, but instead put something between the xbox and the bridge (laptop, or network namespace on the router), configure forwarding and/or NAT, and wireshark/tcpdump there.

    – dirkt
    Feb 3 at 11:09











  • If you have tcpdump handy on your Linksys box, you could capture directly on-device.

    – Daniel B
    Feb 3 at 12:10
















0















I have a Linksys E2500 router running Tomato v1.28 (Linux kernel 2.6.22.19, no USB drive capability) that is functioning in bridge mode to connect three interfaces:



root@TomatoE2500Host:/# brctl show

bridge name     bridge id               STP enabled     interfaces

br0             8000.586d8fb74454       no              eth1

                                                        eth2

                                                        vlan1



  • eth1 is the 2.4 Ghz wireless (access point mode - Xbox is only wireless host)

  • eth2 is the 5.0 Ghz wireless (client mode to main gateway router / other devices)

  • vlan1 is the 4x LAN ethernet ports (Windows 10 desktop is only wired host)


The bridge works fine for 'normal' purposes, but I am trying to use the Windows desktop running Wireshark to sniff packets being sent between the Xbox and the main gateway.



root@TomatoE2500Host:/# brctl showmacs br0

port no mac addr                is local?       ageing timer

  3     00:01:36:1f:e4:5c       yes                0.00

  2     4c:0b:be:3e:5b:2d       no                36.09

  1     58:6d:8f:b7:44:54       yes                0.00

  2     58:6d:8f:b7:44:56       yes                0.00

  3     68:37:e9:50:ce:f7       no               100.34

  3     6c:56:97:04:1e:3f       no               100.63

  3     a0:cc:2b:ad:46:d1       no               224.45

  3     b0:39:56:69:aa:eb       no                 1.02

  1     f4:6d:04:4f:9f:6a       no                 0.01


Understandably, frames/packets from the Xbox (4c:0b:be:3e:5b:2d) on eth1 (port 2) are only getting pushed to the gateway (b0:39:56:69:aa:eb) on eth2 (port 3) while the wired desktop (f4:6d:04:4f:9f:6a) on vlan1 (port 1) is getting left in the dark.



How do I force frames from the eth1 interface to be broadcast on vlan1 interface, in addition to the default/needed eth2?



It is as if I need a MAC Flooding attack on myself to force the bridge into broadcasting packets on multiple interfaces, instead of relying on its forwarding database (FDB) shown above. But there has to be a better way to enable this, right?






linux networking wireless-networking bridge sniffing







share|improve this question

























  • Simplest way is not to try to make the bridge do that, but instead put something between the xbox and the bridge (laptop, or network namespace on the router), configure forwarding and/or NAT, and wireshark/tcpdump there.

    – dirkt
    Feb 3 at 11:09











  • If you have tcpdump handy on your Linksys box, you could capture directly on-device.

    – Daniel B
    Feb 3 at 12:10














0












0








0


1






I have a Linksys E2500 router running Tomato v1.28 (Linux kernel 2.6.22.19, no USB drive capability) that is functioning in bridge mode to connect three interfaces:



root@TomatoE2500Host:/# brctl show

bridge name     bridge id               STP enabled     interfaces

br0             8000.586d8fb74454       no              eth1

                                                        eth2

                                                        vlan1



  • eth1 is the 2.4 Ghz wireless (access point mode - Xbox is only wireless host)

  • eth2 is the 5.0 Ghz wireless (client mode to main gateway router / other devices)

  • vlan1 is the 4x LAN ethernet ports (Windows 10 desktop is only wired host)


The bridge works fine for 'normal' purposes, but I am trying to use the Windows desktop running Wireshark to sniff packets being sent between the Xbox and the main gateway.



root@TomatoE2500Host:/# brctl showmacs br0

port no mac addr                is local?       ageing timer

  3     00:01:36:1f:e4:5c       yes                0.00

  2     4c:0b:be:3e:5b:2d       no                36.09

  1     58:6d:8f:b7:44:54       yes                0.00

  2     58:6d:8f:b7:44:56       yes                0.00

  3     68:37:e9:50:ce:f7       no               100.34

  3     6c:56:97:04:1e:3f       no               100.63

  3     a0:cc:2b:ad:46:d1       no               224.45

  3     b0:39:56:69:aa:eb       no                 1.02

  1     f4:6d:04:4f:9f:6a       no                 0.01


Understandably, frames/packets from the Xbox (4c:0b:be:3e:5b:2d) on eth1 (port 2) are only getting pushed to the gateway (b0:39:56:69:aa:eb) on eth2 (port 3) while the wired desktop (f4:6d:04:4f:9f:6a) on vlan1 (port 1) is getting left in the dark.



How do I force frames from the eth1 interface to be broadcast on vlan1 interface, in addition to the default/needed eth2?



It is as if I need a MAC Flooding attack on myself to force the bridge into broadcasting packets on multiple interfaces, instead of relying on its forwarding database (FDB) shown above. But there has to be a better way to enable this, right?






linux networking wireless-networking bridge sniffing







share|improve this question
















I have a Linksys E2500 router running Tomato v1.28 (Linux kernel 2.6.22.19, no USB drive capability) that is functioning in bridge mode to connect three interfaces:



root@TomatoE2500Host:/# brctl show

bridge name     bridge id               STP enabled     interfaces

br0             8000.586d8fb74454       no              eth1

                                                        eth2

                                                        vlan1



  • eth1 is the 2.4 Ghz wireless (access point mode - Xbox is only wireless host)

  • eth2 is the 5.0 Ghz wireless (client mode to main gateway router / other devices)

  • vlan1 is the 4x LAN ethernet ports (Windows 10 desktop is only wired host)


The bridge works fine for 'normal' purposes, but I am trying to use the Windows desktop running Wireshark to sniff packets being sent between the Xbox and the main gateway.



root@TomatoE2500Host:/# brctl showmacs br0

port no mac addr                is local?       ageing timer

  3     00:01:36:1f:e4:5c       yes                0.00

  2     4c:0b:be:3e:5b:2d       no                36.09

  1     58:6d:8f:b7:44:54       yes                0.00

  2     58:6d:8f:b7:44:56       yes                0.00

  3     68:37:e9:50:ce:f7       no               100.34

  3     6c:56:97:04:1e:3f       no               100.63

  3     a0:cc:2b:ad:46:d1       no               224.45

  3     b0:39:56:69:aa:eb       no                 1.02

  1     f4:6d:04:4f:9f:6a       no                 0.01


Understandably, frames/packets from the Xbox (4c:0b:be:3e:5b:2d) on eth1 (port 2) are only getting pushed to the gateway (b0:39:56:69:aa:eb) on eth2 (port 3) while the wired desktop (f4:6d:04:4f:9f:6a) on vlan1 (port 1) is getting left in the dark.



How do I force frames from the eth1 interface to be broadcast on vlan1 interface, in addition to the default/needed eth2?



It is as if I need a MAC Flooding attack on myself to force the bridge into broadcasting packets on multiple interfaces, instead of relying on its forwarding database (FDB) shown above. But there has to be a better way to enable this, right?






linux networking wireless-networking bridge sniffing




linux networking wireless-networking bridge sniffing






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 5 at 4:12







Beerman58

















asked Feb 3 at 6:23









Beerman58Beerman58

13




13













  • Simplest way is not to try to make the bridge do that, but instead put something between the xbox and the bridge (laptop, or network namespace on the router), configure forwarding and/or NAT, and wireshark/tcpdump there.

    – dirkt
    Feb 3 at 11:09











  • If you have tcpdump handy on your Linksys box, you could capture directly on-device.

    – Daniel B
    Feb 3 at 12:10



















  • Simplest way is not to try to make the bridge do that, but instead put something between the xbox and the bridge (laptop, or network namespace on the router), configure forwarding and/or NAT, and wireshark/tcpdump there.

    – dirkt
    Feb 3 at 11:09











  • If you have tcpdump handy on your Linksys box, you could capture directly on-device.

    – Daniel B
    Feb 3 at 12:10

















Simplest way is not to try to make the bridge do that, but instead put something between the xbox and the bridge (laptop, or network namespace on the router), configure forwarding and/or NAT, and wireshark/tcpdump there.

– dirkt
Feb 3 at 11:09





Simplest way is not to try to make the bridge do that, but instead put something between the xbox and the bridge (laptop, or network namespace on the router), configure forwarding and/or NAT, and wireshark/tcpdump there.

– dirkt
Feb 3 at 11:09













If you have tcpdump handy on your Linksys box, you could capture directly on-device.

– Daniel B
Feb 3 at 12:10





If you have tcpdump handy on your Linksys box, you could capture directly on-device.

– Daniel B
Feb 3 at 12:10










1 Answer
1






active

oldest

votes


















1














The forwarding database only supports mapping unicast addresses to one port (which is apropriate for 'unicast' having one destination). There are other methods:





  • You can use iptables' TEE target, as in this SF thread. For this to work you'll need to enable bridge iptables filtering first:



    ip link set dev br0 type bridge nf_call_iptables 1



  • Similarly, you can probably use the dup action in nftables bridge table:



    iifname "br0" dup to "eth0"


  • As in this article, you can use tc with "action mirred" and some other incomprehensible parameters.


  • You can use a userspace program to capture packets on the bridge and forward them through another interface, either raw or encapsulated (e.g. inside a TZSP or ERSPAN tunnel). One example is RSniffer. On the receiving side, Wireshark will automatically recognize the encapsulated packets.



  • You can run tcpdump via SSH and feed its output to a local Wireshark UI:



    ssh router tcpdump -n -i eth2 -s 65535 -w - -U | wireshark -k -i -


    (Yes web says you need a USB drive for the "full" 2 MB tcpdump, but surely there's a lite version somewhere (something like dumpcap)? You don't need any of the packet analysis code, for example. It seems like this sort of thing shouldn't need a binary larger than 10 kB...)



  • As a last resort, you can buy another switch or router which has native port-mirroring support. (For example, managed switches tend to have a "mirror port" or a "SPAN port", and RouterOS-based devices have native support for tcpdump-like capture through a TZSP tunnel.)



Note, though, that your Linksys very likely has two bridges stacked – the "vlan1" device (your 4x LAN ports) often represents a hardware switch which has its own independent FDB, so traffic between these ports doesn't reach the software Linux bridge at all.






share|improve this answer


























  • I think my Linux kernel version (2.6.22.19, added to OP) and sparse modules are a limiting factor for some of these solutions. To your second bullet, nftables is only available for Linux kernels >= 3.13, but something similar to the first bullet should be possible for me using the nftables forerunner commands ebtables/iptables if only I can get the iptables hooks to indeed fire in bridge mode. ...(Cont’d)

    – Beerman58
    Feb 5 at 5:06











  • (Cont’d) ... To that end, ip link set dev br0 type bridge nf_call_iptables 1 throws Error: either "dev" is duplicate, or "type" is a garbage. and the more-general ip link set help reveals no type option. This all from ip -V of ip utility, iproute2-ss070710. I do not seem to have the bridge-nf module available either (Additionally, with iptables v1.3.8 I'll have to stick to the ROUTE target instead of TEE that came in v1.4.8). Will keep digging.

    – Beerman58
    Feb 5 at 5:06













  • The same setting should be available via sysctl, although the exact parameter seems to have changed (serverfault.com/questions/162366/…).

    – grawity
    Feb 5 at 5:26











  • An exhaustive sysctl listing search (which I have to access via the /proc/sys file system) returned no parameters remotely related to ‘nf_call_iptables’. …(Cont’d)

    – Beerman58
    Feb 7 at 5:13











  • (Cont’d)… On a whim, tried moving the Xbox to the gateway’s 5Ghz access point (alongside the Tomato E2500 router’s eth2), then attempting to promiscuously bridge from eth2 to vlan1 using ip link set eth2 promisc on then ebtables -t nat -A PREROUTING -s 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A and ebtables -t nat -A PREROUTING -d 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A but packet counts show these rules are not getting triggered either. Will try tc or remotely controlled tcpdump next.

    – Beerman58
    Feb 7 at 5:14













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401497%2fhow-to-force-linux-bridge-to-output-frame-on-multiple-interfaces%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














The forwarding database only supports mapping unicast addresses to one port (which is apropriate for 'unicast' having one destination). There are other methods:





  • You can use iptables' TEE target, as in this SF thread. For this to work you'll need to enable bridge iptables filtering first:



    ip link set dev br0 type bridge nf_call_iptables 1



  • Similarly, you can probably use the dup action in nftables bridge table:



    iifname "br0" dup to "eth0"


  • As in this article, you can use tc with "action mirred" and some other incomprehensible parameters.


  • You can use a userspace program to capture packets on the bridge and forward them through another interface, either raw or encapsulated (e.g. inside a TZSP or ERSPAN tunnel). One example is RSniffer. On the receiving side, Wireshark will automatically recognize the encapsulated packets.



  • You can run tcpdump via SSH and feed its output to a local Wireshark UI:



    ssh router tcpdump -n -i eth2 -s 65535 -w - -U | wireshark -k -i -


    (Yes web says you need a USB drive for the "full" 2 MB tcpdump, but surely there's a lite version somewhere (something like dumpcap)? You don't need any of the packet analysis code, for example. It seems like this sort of thing shouldn't need a binary larger than 10 kB...)



  • As a last resort, you can buy another switch or router which has native port-mirroring support. (For example, managed switches tend to have a "mirror port" or a "SPAN port", and RouterOS-based devices have native support for tcpdump-like capture through a TZSP tunnel.)



Note, though, that your Linksys very likely has two bridges stacked – the "vlan1" device (your 4x LAN ports) often represents a hardware switch which has its own independent FDB, so traffic between these ports doesn't reach the software Linux bridge at all.






share|improve this answer


























  • I think my Linux kernel version (2.6.22.19, added to OP) and sparse modules are a limiting factor for some of these solutions. To your second bullet, nftables is only available for Linux kernels >= 3.13, but something similar to the first bullet should be possible for me using the nftables forerunner commands ebtables/iptables if only I can get the iptables hooks to indeed fire in bridge mode. ...(Cont’d)

    – Beerman58
    Feb 5 at 5:06











  • (Cont’d) ... To that end, ip link set dev br0 type bridge nf_call_iptables 1 throws Error: either "dev" is duplicate, or "type" is a garbage. and the more-general ip link set help reveals no type option. This all from ip -V of ip utility, iproute2-ss070710. I do not seem to have the bridge-nf module available either (Additionally, with iptables v1.3.8 I'll have to stick to the ROUTE target instead of TEE that came in v1.4.8). Will keep digging.

    – Beerman58
    Feb 5 at 5:06













  • The same setting should be available via sysctl, although the exact parameter seems to have changed (serverfault.com/questions/162366/…).

    – grawity
    Feb 5 at 5:26











  • An exhaustive sysctl listing search (which I have to access via the /proc/sys file system) returned no parameters remotely related to ‘nf_call_iptables’. …(Cont’d)

    – Beerman58
    Feb 7 at 5:13











  • (Cont’d)… On a whim, tried moving the Xbox to the gateway’s 5Ghz access point (alongside the Tomato E2500 router’s eth2), then attempting to promiscuously bridge from eth2 to vlan1 using ip link set eth2 promisc on then ebtables -t nat -A PREROUTING -s 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A and ebtables -t nat -A PREROUTING -d 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A but packet counts show these rules are not getting triggered either. Will try tc or remotely controlled tcpdump next.

    – Beerman58
    Feb 7 at 5:14


















1














The forwarding database only supports mapping unicast addresses to one port (which is apropriate for 'unicast' having one destination). There are other methods:





  • You can use iptables' TEE target, as in this SF thread. For this to work you'll need to enable bridge iptables filtering first:



    ip link set dev br0 type bridge nf_call_iptables 1



  • Similarly, you can probably use the dup action in nftables bridge table:



    iifname "br0" dup to "eth0"


  • As in this article, you can use tc with "action mirred" and some other incomprehensible parameters.


  • You can use a userspace program to capture packets on the bridge and forward them through another interface, either raw or encapsulated (e.g. inside a TZSP or ERSPAN tunnel). One example is RSniffer. On the receiving side, Wireshark will automatically recognize the encapsulated packets.



  • You can run tcpdump via SSH and feed its output to a local Wireshark UI:



    ssh router tcpdump -n -i eth2 -s 65535 -w - -U | wireshark -k -i -


    (Yes web says you need a USB drive for the "full" 2 MB tcpdump, but surely there's a lite version somewhere (something like dumpcap)? You don't need any of the packet analysis code, for example. It seems like this sort of thing shouldn't need a binary larger than 10 kB...)



  • As a last resort, you can buy another switch or router which has native port-mirroring support. (For example, managed switches tend to have a "mirror port" or a "SPAN port", and RouterOS-based devices have native support for tcpdump-like capture through a TZSP tunnel.)



Note, though, that your Linksys very likely has two bridges stacked – the "vlan1" device (your 4x LAN ports) often represents a hardware switch which has its own independent FDB, so traffic between these ports doesn't reach the software Linux bridge at all.






share|improve this answer


























  • I think my Linux kernel version (2.6.22.19, added to OP) and sparse modules are a limiting factor for some of these solutions. To your second bullet, nftables is only available for Linux kernels >= 3.13, but something similar to the first bullet should be possible for me using the nftables forerunner commands ebtables/iptables if only I can get the iptables hooks to indeed fire in bridge mode. ...(Cont’d)

    – Beerman58
    Feb 5 at 5:06











  • (Cont’d) ... To that end, ip link set dev br0 type bridge nf_call_iptables 1 throws Error: either "dev" is duplicate, or "type" is a garbage. and the more-general ip link set help reveals no type option. This all from ip -V of ip utility, iproute2-ss070710. I do not seem to have the bridge-nf module available either (Additionally, with iptables v1.3.8 I'll have to stick to the ROUTE target instead of TEE that came in v1.4.8). Will keep digging.

    – Beerman58
    Feb 5 at 5:06













  • The same setting should be available via sysctl, although the exact parameter seems to have changed (serverfault.com/questions/162366/…).

    – grawity
    Feb 5 at 5:26











  • An exhaustive sysctl listing search (which I have to access via the /proc/sys file system) returned no parameters remotely related to ‘nf_call_iptables’. …(Cont’d)

    – Beerman58
    Feb 7 at 5:13











  • (Cont’d)… On a whim, tried moving the Xbox to the gateway’s 5Ghz access point (alongside the Tomato E2500 router’s eth2), then attempting to promiscuously bridge from eth2 to vlan1 using ip link set eth2 promisc on then ebtables -t nat -A PREROUTING -s 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A and ebtables -t nat -A PREROUTING -d 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A but packet counts show these rules are not getting triggered either. Will try tc or remotely controlled tcpdump next.

    – Beerman58
    Feb 7 at 5:14
















1












1








1







The forwarding database only supports mapping unicast addresses to one port (which is apropriate for 'unicast' having one destination). There are other methods:





  • You can use iptables' TEE target, as in this SF thread. For this to work you'll need to enable bridge iptables filtering first:



    ip link set dev br0 type bridge nf_call_iptables 1



  • Similarly, you can probably use the dup action in nftables bridge table:



    iifname "br0" dup to "eth0"


  • As in this article, you can use tc with "action mirred" and some other incomprehensible parameters.


  • You can use a userspace program to capture packets on the bridge and forward them through another interface, either raw or encapsulated (e.g. inside a TZSP or ERSPAN tunnel). One example is RSniffer. On the receiving side, Wireshark will automatically recognize the encapsulated packets.



  • You can run tcpdump via SSH and feed its output to a local Wireshark UI:



    ssh router tcpdump -n -i eth2 -s 65535 -w - -U | wireshark -k -i -


    (Yes web says you need a USB drive for the "full" 2 MB tcpdump, but surely there's a lite version somewhere (something like dumpcap)? You don't need any of the packet analysis code, for example. It seems like this sort of thing shouldn't need a binary larger than 10 kB...)



  • As a last resort, you can buy another switch or router which has native port-mirroring support. (For example, managed switches tend to have a "mirror port" or a "SPAN port", and RouterOS-based devices have native support for tcpdump-like capture through a TZSP tunnel.)



Note, though, that your Linksys very likely has two bridges stacked – the "vlan1" device (your 4x LAN ports) often represents a hardware switch which has its own independent FDB, so traffic between these ports doesn't reach the software Linux bridge at all.






share|improve this answer















The forwarding database only supports mapping unicast addresses to one port (which is apropriate for 'unicast' having one destination). There are other methods:





  • You can use iptables' TEE target, as in this SF thread. For this to work you'll need to enable bridge iptables filtering first:



    ip link set dev br0 type bridge nf_call_iptables 1



  • Similarly, you can probably use the dup action in nftables bridge table:



    iifname "br0" dup to "eth0"


  • As in this article, you can use tc with "action mirred" and some other incomprehensible parameters.


  • You can use a userspace program to capture packets on the bridge and forward them through another interface, either raw or encapsulated (e.g. inside a TZSP or ERSPAN tunnel). One example is RSniffer. On the receiving side, Wireshark will automatically recognize the encapsulated packets.



  • You can run tcpdump via SSH and feed its output to a local Wireshark UI:



    ssh router tcpdump -n -i eth2 -s 65535 -w - -U | wireshark -k -i -


    (Yes web says you need a USB drive for the "full" 2 MB tcpdump, but surely there's a lite version somewhere (something like dumpcap)? You don't need any of the packet analysis code, for example. It seems like this sort of thing shouldn't need a binary larger than 10 kB...)



  • As a last resort, you can buy another switch or router which has native port-mirroring support. (For example, managed switches tend to have a "mirror port" or a "SPAN port", and RouterOS-based devices have native support for tcpdump-like capture through a TZSP tunnel.)



Note, though, that your Linksys very likely has two bridges stacked – the "vlan1" device (your 4x LAN ports) often represents a hardware switch which has its own independent FDB, so traffic between these ports doesn't reach the software Linux bridge at all.







share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 5 at 5:30

























answered Feb 3 at 11:51









grawitygrawity

240k37508561




240k37508561













  • I think my Linux kernel version (2.6.22.19, added to OP) and sparse modules are a limiting factor for some of these solutions. To your second bullet, nftables is only available for Linux kernels >= 3.13, but something similar to the first bullet should be possible for me using the nftables forerunner commands ebtables/iptables if only I can get the iptables hooks to indeed fire in bridge mode. ...(Cont’d)

    – Beerman58
    Feb 5 at 5:06











  • (Cont’d) ... To that end, ip link set dev br0 type bridge nf_call_iptables 1 throws Error: either "dev" is duplicate, or "type" is a garbage. and the more-general ip link set help reveals no type option. This all from ip -V of ip utility, iproute2-ss070710. I do not seem to have the bridge-nf module available either (Additionally, with iptables v1.3.8 I'll have to stick to the ROUTE target instead of TEE that came in v1.4.8). Will keep digging.

    – Beerman58
    Feb 5 at 5:06













  • The same setting should be available via sysctl, although the exact parameter seems to have changed (serverfault.com/questions/162366/…).

    – grawity
    Feb 5 at 5:26











  • An exhaustive sysctl listing search (which I have to access via the /proc/sys file system) returned no parameters remotely related to ‘nf_call_iptables’. …(Cont’d)

    – Beerman58
    Feb 7 at 5:13











  • (Cont’d)… On a whim, tried moving the Xbox to the gateway’s 5Ghz access point (alongside the Tomato E2500 router’s eth2), then attempting to promiscuously bridge from eth2 to vlan1 using ip link set eth2 promisc on then ebtables -t nat -A PREROUTING -s 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A and ebtables -t nat -A PREROUTING -d 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A but packet counts show these rules are not getting triggered either. Will try tc or remotely controlled tcpdump next.

    – Beerman58
    Feb 7 at 5:14





















  • I think my Linux kernel version (2.6.22.19, added to OP) and sparse modules are a limiting factor for some of these solutions. To your second bullet, nftables is only available for Linux kernels >= 3.13, but something similar to the first bullet should be possible for me using the nftables forerunner commands ebtables/iptables if only I can get the iptables hooks to indeed fire in bridge mode. ...(Cont’d)

    – Beerman58
    Feb 5 at 5:06











  • (Cont’d) ... To that end, ip link set dev br0 type bridge nf_call_iptables 1 throws Error: either "dev" is duplicate, or "type" is a garbage. and the more-general ip link set help reveals no type option. This all from ip -V of ip utility, iproute2-ss070710. I do not seem to have the bridge-nf module available either (Additionally, with iptables v1.3.8 I'll have to stick to the ROUTE target instead of TEE that came in v1.4.8). Will keep digging.

    – Beerman58
    Feb 5 at 5:06













  • The same setting should be available via sysctl, although the exact parameter seems to have changed (serverfault.com/questions/162366/…).

    – grawity
    Feb 5 at 5:26











  • An exhaustive sysctl listing search (which I have to access via the /proc/sys file system) returned no parameters remotely related to ‘nf_call_iptables’. …(Cont’d)

    – Beerman58
    Feb 7 at 5:13











  • (Cont’d)… On a whim, tried moving the Xbox to the gateway’s 5Ghz access point (alongside the Tomato E2500 router’s eth2), then attempting to promiscuously bridge from eth2 to vlan1 using ip link set eth2 promisc on then ebtables -t nat -A PREROUTING -s 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A and ebtables -t nat -A PREROUTING -d 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A but packet counts show these rules are not getting triggered either. Will try tc or remotely controlled tcpdump next.

    – Beerman58
    Feb 7 at 5:14



















I think my Linux kernel version (2.6.22.19, added to OP) and sparse modules are a limiting factor for some of these solutions. To your second bullet, nftables is only available for Linux kernels >= 3.13, but something similar to the first bullet should be possible for me using the nftables forerunner commands ebtables/iptables if only I can get the iptables hooks to indeed fire in bridge mode. ...(Cont’d)

– Beerman58
Feb 5 at 5:06





I think my Linux kernel version (2.6.22.19, added to OP) and sparse modules are a limiting factor for some of these solutions. To your second bullet, nftables is only available for Linux kernels >= 3.13, but something similar to the first bullet should be possible for me using the nftables forerunner commands ebtables/iptables if only I can get the iptables hooks to indeed fire in bridge mode. ...(Cont’d)

– Beerman58
Feb 5 at 5:06













(Cont’d) ... To that end, ip link set dev br0 type bridge nf_call_iptables 1 throws Error: either "dev" is duplicate, or "type" is a garbage. and the more-general ip link set help reveals no type option. This all from ip -V of ip utility, iproute2-ss070710. I do not seem to have the bridge-nf module available either (Additionally, with iptables v1.3.8 I'll have to stick to the ROUTE target instead of TEE that came in v1.4.8). Will keep digging.

– Beerman58
Feb 5 at 5:06







(Cont’d) ... To that end, ip link set dev br0 type bridge nf_call_iptables 1 throws Error: either "dev" is duplicate, or "type" is a garbage. and the more-general ip link set help reveals no type option. This all from ip -V of ip utility, iproute2-ss070710. I do not seem to have the bridge-nf module available either (Additionally, with iptables v1.3.8 I'll have to stick to the ROUTE target instead of TEE that came in v1.4.8). Will keep digging.

– Beerman58
Feb 5 at 5:06















The same setting should be available via sysctl, although the exact parameter seems to have changed (serverfault.com/questions/162366/…).

– grawity
Feb 5 at 5:26





The same setting should be available via sysctl, although the exact parameter seems to have changed (serverfault.com/questions/162366/…).

– grawity
Feb 5 at 5:26













An exhaustive sysctl listing search (which I have to access via the /proc/sys file system) returned no parameters remotely related to ‘nf_call_iptables’. …(Cont’d)

– Beerman58
Feb 7 at 5:13





An exhaustive sysctl listing search (which I have to access via the /proc/sys file system) returned no parameters remotely related to ‘nf_call_iptables’. …(Cont’d)

– Beerman58
Feb 7 at 5:13













(Cont’d)… On a whim, tried moving the Xbox to the gateway’s 5Ghz access point (alongside the Tomato E2500 router’s eth2), then attempting to promiscuously bridge from eth2 to vlan1 using ip link set eth2 promisc on then ebtables -t nat -A PREROUTING -s 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A and ebtables -t nat -A PREROUTING -d 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A but packet counts show these rules are not getting triggered either. Will try tc or remotely controlled tcpdump next.

– Beerman58
Feb 7 at 5:14







(Cont’d)… On a whim, tried moving the Xbox to the gateway’s 5Ghz access point (alongside the Tomato E2500 router’s eth2), then attempting to promiscuously bridge from eth2 to vlan1 using ip link set eth2 promisc on then ebtables -t nat -A PREROUTING -s 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A and ebtables -t nat -A PREROUTING -d 4C:0B:BE:3E:5B:2D -j dnat --to-destination F4:6D:04:4F:9F:6A but packet counts show these rules are not getting triggered either. Will try tc or remotely controlled tcpdump next.

– Beerman58
Feb 7 at 5:14




















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401497%2fhow-to-force-linux-bridge-to-output-frame-on-multiple-interfaces%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

Image
0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
Read more

is 'sed' thread safe

Image
2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
Read more

How to make a Squid Proxy server?

Image
1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
Read more