1

  1. In the below setup, Raspi 2 (3B) needs to get a copy of the TAP traffic from Raspi 1, for both eth0 and eth1, preferably without an additional switch.

    I have another spare usb-to-ethernet adapter. Do I bridge both interfaces? IP-forward traffic? Use a software to mirror traffic? If anyone could provide detailed explanation, that would be very much appreciated.

    The rationale for such a setup is to test and compare some softwares.

  2. A second question would be, if there is a more efficient way to have a raspi cluster share that TAP network feed with different tools on both raspis, I would love to hear that as well!

setup

I am currently trying:

iptables -t mangle -A PREROUTING -i eth0 -j TEE -gw <raspi2>

But either "multiple -j flags not allowed" is thrown, or "gateway is an unknown option" is.

George
  • 61
  • 6
  • I do not understand your setup. I know what are tap interfaces, but what do you mean with TAP network? Do you use a RasPi cluster? Why using two additional direct connections to RasPi 1? Why not just using the router to connect to RasPi1 and RasPi2? – Ingo Apr 19 '20 at 19:07
  • TAP network feed captures all traffic between the router and modem - that means all network traffic. I am not using a Raspi cluster, yet. Two direct connections for 2 directions of the TAP traffic - ingress and egress. Hope that clarifies. Raspi 1 is sniffing 100% of network traffic for both directions, and I need that copy of feed to be shared/sent over to Raspi 2. Both Raspis are already connected to Router via WLAN. – George Apr 20 '20 at 13:58
  • Why do not connect RasPi2 also direct connect to 'Network TAP'` like RasPi1? – Ingo Apr 20 '20 at 19:06
  • there's only 4 ports on the TAP and they are fully used, and I am trying to find a solution without more hardware like switch. Also, I'm not sure if the traffic can be duplicated to be sent to two Pis. – George Apr 23 '20 at 10:28

1 Answers1

1

Abstract

OK, the idea is to use a hub. But what is a hub? In the good old networking days they where used to distribute network traffic. Incoming traffic was sent through all its connected ports - of course, with very bad performance for only addressing one device on unicast. That was the reason why switches are made. They remember the mac addresses behind its ports (what devices are connected to the port) and switch incoming traffic only to the port with the destination mac address of the ethernet package. But on RasPi2 we want to see all traffic, not only that is addressed to itself.

Usually the Linux bridge is working as a switch by default. But fortunately we can configure it to behave like a hub. There is a timeout AgeingTimeSec, how long the switch shall remember the mac addresses before renewing them. If setting it to 0 the bridge doesn't know what port to use and must send packages through all its ports.

Setup

First attach the spare USB/wired ethernet dongle to RasPi1 so you have interfaces eth0, eth1, eth2 (the dongle) and wlan0 on it. On RasPi2 you just have its built-in interfaces eth0 and wlan0. Connect the two RasPis with an ethernet cable. To configure the network I will use systemd-networkd because it has all things available and simplify setup a lot. We can just configure it and don't need additional helpers.

I started with a fresh flashed Raspbian Buster Light. Then Use systemd-networkd for general networking for RasPi1 and RasPi2 but execute only the section ♦ Quick Step and come back here.

Setup WiFi on both RasPis with these 2 files and your settings for country, ssid and psk:

rpi ~$ sudo -Es   # if not already set
rpi ~# cat > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf <<EOF
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=DE

network={
    ssid="TestNet"
    psk="verySecretPassword"
    key_mgmt=WPA-PSK
    proto=RSN WPA
}
EOF

rpi ~# systemctl disable wpa_supplicant.service
rpi ~# systemctl enable wpa_supplicant@wlan0.service
rpi ~# chmod 600 /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
rpi ~# sudo rfkill unblock 0


rpi ~# cat > /etc/systemd/network/08-wifi.network <<EOF
[Match]
Name=wl*

[Network]
LLMNR=no
# Option using a DHCP server
DHCP=yes

# Option using link-local ip addresses
#LinkLocalAddressing=yes
#MulticastDNS=yes

# Option use static ip address (use your settings)
#Address=192.168.50.61/24
#Gateway=192.168.50.1
#DNS=84.200.69.80 1.1.1.1
EOF

To configure the ethernet interfaces on RasPi1 create these 4 files and reboot:

rpi1 ~$ sudo -Es
rpi1 ~# cat > /etc/systemd/network/02-br0.netdev <<EOF
[NetDev]
Name=br0
Kind=bridge
[Bridge]
AgeingTimeSec=0
STP=false
EOF

rpi1 ~# cat > /etc/systemd/network/04-br0_add-eth.network <<EOF
[Match]
Name=eth*
[Network]
LLMNR=no
Bridge=br0
EOF

rpi1 ~# cat > /etc/systemd/network/12-br0_up.network <<EOF
[Match]
Name=br0
[Network]
LLMNR=no
EOF

To configure the ethernet interface on RasPi2 create this file and reboot:

rpi2 ~$ sudo -Es
rpi2 ~# cat > /etc/systemd/network/04-eth.network <<EOF
[Match]
Name=e*
[Network]
LLMNR=no
EOF

Please note that there are no ip addresses on the wired interfaces. After reboots you should be able to watch all traffic on the broadcast domain (merged interfaces) from all interfaces, e.g. with tcpdump:

rpi1 ~$ sudo tcpdump -n -i br0
rpi2 ~$ sudo tcpdump -n -i eth0

Troubleshooting

Show details of the bridges interfaces:

rpi1 ~$ bridge -d link

Show details of the bridge:

rpi1 ~$ ip -d link show br0
rpi1 ~$ ip -d link show br0 | grep -Po 'ageing_time .*? '
ageing_time 0

# or better
rpi1 ~$ find /sys/class/net/br0/bridge/ -type f -readable -printf '%f = ' -exec cat {} \; | sort

All incoming packages are send to all other ports. So for example packages from eth0 will also be (re)send through eth1 back to the Network TAP. If this confuses the device you can use ebtables to filter the traffic on the bridge, similar to use iptables.

Ingo
  • 42,107
  • 20
  • 85
  • 197
  • Thanks - I'm trying this out now. Is the instructions for "rpi1 ~# cat > /etc/systemd/network/12-br0_up.network <<EOF" complete? It wasn't closed. – George Apr 25 '20 at 17:07
  • @George It's delimited now. – Ingo Apr 25 '20 at 17:13
  • thanks @Ingo. I've done the steps and rebooted both Raspis. Currently on Raspi1 and when I do bridge -d link, nothing shows up, and when I do tcpdump on br0, it says "br0: no such device exists". In ifconfig, I don't see br0 or bridge as well. any ideas? – George Apr 25 '20 at 17:22
  • @George Just a moment please. I will repeat the setup from the instructions above. I have started from a fresh flashed Raspbian Buster Light. – Ingo Apr 25 '20 at 17:26
  • my bad I missed the steps for quick steps. but as I'm going thru it i see a ton of config files purged. i.e. my snort, rsyslog config. is that intended? – George Apr 25 '20 at 17:34
  • hmm, I'm done with all the steps now, but ifconfig is now only showing me wlan0 and lo. No internet connectivity as well. It's a problem because I was running my DNS server on it with a bunch of other sniffing tools. Any way of reverting the configs? – George Apr 25 '20 at 17:59
  • @George It wasn't said that there are sophisticated other setups on RasPi1. I hope you have made a backup before doing large-scale changes. You can try to disable systemd-networkd, systemd-resolved and install again what you have deinstalled. – Ingo Apr 25 '20 at 18:08