0

I'm setting up a Raspberry Pi as an Access Point (Wi-Fi) and I'd like to use it to monitor a switch traffic.

I setted up a mirror port on a Cisco Catalyst switch and configured my Raspberry Pi to work as an Access Point (with hostapd).

I configured a bridge between my eth0 and my wlan0 interfaces with brctl.

My problem is that the mirrored traffic isn't transmitted through Wi-Fi.

What I've already verified :

  • Directely connected on switch (via Ethernet cable) I see all the mirrored traffic
  • The Access Point works well (I can communicate with all clients connected to the switch)
  • The IP forwarding is enabled on the Raspi (I've verified it via sysctl)
  • I tried modifying the aging time on my bridge to 0 (brctl setageing) but it doesn't change anything.

For information, I've a 3Model B Rapsberry Pi and have installed raspbian with Kernel version 4.9.54-v7+.

To sum up, my purpose is to use a laptop connected via Wi-Fi to analyze packets going on a specified switch (and if possible to have multiple clients connected through Wi-Fi).

I may think that it could also be a limitation of the Wi-Fi

Thanks in advance.

C. Normand
  • 13
  • 2
  • 3
    I think you have a basic misunderstanding. You mirror frames, not packets, so you bridge, not route, them. You must have the interface set to promiscuous, otherwise it ignores any frames that are not destined to it. Also, bridges learn which MAC addresses are on which interfaces, and they do not send the frames to interfaces that do not have the MAC address connected to the interface. That is why Cisco has RSPAN to be used when you must cross bridges. I doubt the Raspberry supports RSPAN. – Ron Maupin Oct 12 '17 at 14:32
  • Thanks for your response. So, do you think there is any wan to still use the raspberry to "resend" the frames ? Or maybe to make it act as a hub ? I couldn't find much information about that. – C. Normand Oct 13 '17 at 05:57
  • You are going to need an application to package the frames and send them to your laptop, where you will need to unpack them for study. Also, you may find that even if your switch interface is fast enough to mirror all the traffic sent to it, your Wi-Fi is probably not nearly as fast as your wired network, and you will lose a lot of frames. If your goal is to capture all the frames, then I don't think this is going to work. – Ron Maupin Oct 13 '17 at 13:48

1 Answers1

1

This isn't going to work for several reasons:

  • As Ron Maupin said in the comments on the question, the frames that come out of the span port don't "work" the same way as "regular" frames, because they're already Ethernet frames destined for another MAC address. Bridging them is unlikely to work very well at all.

  • 802.11, despite sometimes being called "Wireless Ethernet", is, in fact, nothing like wired Ethernet. It works very differently "under the hood" to 802.3 Ethernet, and for anything other than the most basic "send packet" / "receive packet" operations, it probably won't work. For example, you can't actually put an 802.11 adapter into a bridge in the same way as you would a 802.3 Ethernet NIC; you've got to do something unpleasantly akin to NAT on the MAC address.

I have a sneaking suspicion I know what you're trying to do -- you want to be able to plug an rPi into one of several span ports on different switches and sniff the traffic off each one from the comfort of somewhere that isn't a freezing cold DC. Unfortunately, you're probably just going to have to fire up wireshark on the rPi directly and do your business from there.

womble
  • 95,029
  • 29
  • 173
  • 228
  • Note that it is possible to have the wireshark capture and the wireshark GUI on different machines. https://www.howtoforge.com/wireshark-remote-capturing – Peter Green Oct 19 '17 at 15:27