How to use Linux to capture packets on eth0 and send everything to eth1?

linux networking centos wireshark tcpdump
8,964

Solution 1

You could setup eth0 and eth1 as bridge and assuming eth0 is connected to the Sagemcom and eth1 is connected to the internet connection. The traffic would pass through the bridge, then you could run a TCP dump on the bridge and capture all of the traffic.

You will need the bridge-utils package

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up

tcpdump -s0 -w dump.pcap -i br0

Solution 2

First you'd set your CentOS box up as a router, which basically involves enabling packet forwarding (usually a machine is the destination), if you want to let traffic pass through.

The simple part of that is changing /etc/sysctl.conf.
Change

net.ipv4.ip_forward = 0 to 1.

Then you'd set eth0 in one network, eth1 in the other, and add a route between the networks.

Configuring other things like firewalls or selinux is up to you.

I'd use tcpdump -s0 -n host < router IP > -w upgrade.pcap -i any
Though some of that might be redundant, for example, if you're listening for traffic going to and from the router IP, you shouldn't need to specify much in the way of interfaces, I believe.

Share:
8,964

Related videos on Youtube

Sandra
Author by

Sandra

Updated on September 18, 2022

Comments

  • Sandra
    Sandra over 1 year

    Today I got an enterprise Internet connection together with a Sagemcom router. The first time it is connected to the Internet, it will spend 20 minutes upgrading the firmware.

    I would really like to capture all the traffic for this upgrade using a CentOS host with two NIC's, with the purpose to figure how upgrades are authenticated. E.g. with a secret user account and passphrase?

    If I want to put the CentOS host between the Internet connection and the router:

    Question

    • How do I configure CentOS, so all traffic going in at eth0 goes out at eth1?
    • Is tcpdump -s0 -A -w upgrade.pcap -nni eth0 correct, if I want to use Wireshark later on to inspect the packages?
  • Sandra
    Sandra about 11 years
    Shall I give eth0 and eth1 static IP addresses e.g. 192.168.1.100 and 192.168.1.101?
  • Aaron Bush
    Aaron Bush about 11 years
    You may alo want to take a look at tcpreplay (tcpreplay.synfin.net/wiki/manual) for some fun with replaying that captured traffic.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

tcpdump read both ipv4 and ipv6 packets from pcap
Using tcpdump to find strings
What does tcpdump "BOOTP/DHCP, Request from ..." mean?
What program sent which packet to the network
How to trace networking activity of a command?
What does a sequence of retransmissions with PSH,ACK flags mean (and a spurious retransmission back)?
TCP Server sends [ACK] followed by [PSH,ACK]
How can I find the IP addresses for each interface, in Perl?
How to configure network profiles in Centos?
How many processes can listen on a specific port?