How to use Linux to capture packets on eth0 and send everything to eth1?
Solution 1
You could setup eth0 and eth1 as bridge and assuming eth0 is connected to the Sagemcom and eth1 is connected to the internet connection. The traffic would pass through the bridge, then you could run a TCP dump on the bridge and capture all of the traffic.
You will need the bridge-utils package
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up
tcpdump -s0 -w dump.pcap -i br0
Solution 2
First you'd set your CentOS box up as a router, which basically involves enabling packet forwarding (usually a machine is the destination), if you want to let traffic pass through.
The simple part of that is changing /etc/sysctl.conf
.
Change
net.ipv4.ip_forward = 0
to 1.
Then you'd set eth0 in one network, eth1 in the other, and add a route between the networks.
Configuring other things like firewalls or selinux is up to you.
I'd use tcpdump -s0 -n host < router IP > -w upgrade.pcap -i any
Though some of that might be redundant, for example, if you're listening for traffic going to and from the router IP, you shouldn't need to specify much in the way of interfaces, I believe.
Related videos on Youtube
Sandra
Updated on September 18, 2022Comments
-
Sandra over 1 year
Today I got an enterprise Internet connection together with a Sagemcom router. The first time it is connected to the Internet, it will spend 20 minutes upgrading the firmware.
I would really like to capture all the traffic for this upgrade using a CentOS host with two NIC's, with the purpose to figure how upgrades are authenticated. E.g. with a secret user account and passphrase?
If I want to put the CentOS host between the Internet connection and the router:
Question
- How do I configure CentOS, so all traffic going in at
eth0
goes out ateth1
? - Is
tcpdump -s0 -A -w upgrade.pcap -nni eth0
correct, if I want to use Wireshark later on to inspect the packages?
- How do I configure CentOS, so all traffic going in at
-
Sandra about 11 yearsShall I give
eth0
andeth1
static IP addresses e.g.192.168.1.100
and192.168.1.101
? -
Aaron Bush about 11 yearsYou may alo want to take a look at tcpreplay (tcpreplay.synfin.net/wiki/manual) for some fun with replaying that captured traffic.