Can switch be connected to the router WAN port?

[dieter]

I would like to capture (using Wireshark) any and all traffic (incl. WiFi) of my LAN devices using port mirroring.

Is this doable by connecting a managed switch to the router WAN port and hooking up a computer to one of the other ports of the switch?

Dieter

 

[ColinTaylor]

You could do that provided your managed switch has the capability to do port mirroring.

Bear in mind that all the traffic to or from the router will have the router's WAN IP address. i.e. you will not see LAN IP addresses.

 

[dieter]

What about MAC addresses? Would I be able to trigger on MAC addresses of traffic coming from/going to devices on the LAN?

 

[ColinTaylor]

No. MAC addresses don't go outside their local subnet.

 

[dieter]

Thanks much for you help, Colin. So maybe an additional router is in order...

 

[ColinTaylor]

If you're only interested in WAN to LAN traffic (and vice versa), rather than LAN to LAN you could use netfilter's TEE command on the router.

http://ipset.netfilter.org/iptables-extensions.man.html#lbDU

For example:

modprobe xt_TEE
iptables -t mangle -A PREROUTING  -s 192.168.1.10 -j TEE --gateway 192.168.1.238
iptables -t mangle -A POSTROUTING -d 192.168.1.10 -j TEE --gateway 192.168.1.238

This will send cloned packets of 192.168.1.10 traffic to 192.168.1.238.

 

[System Error Message]

Also depending on your WAN, your router will need to be fast enough and link speed too. If you are just receiving, you will need 2x the bandwidth in 1 direction (sending+ receiving) otherwise you can just apply filters (switches/routers some can use filters for this).

Its 1 reason i love my CCR with 36 cores i have plenty of CPU to even run sniffing and filters on the CCR itself, and even do bandwidth testing from the CCR.