Menu
What's new
By:
Filters Better Search

Mirroring Data to a single IP on router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I

IvanaSmith

New Around Here
Hello Members at Small Net Builder.

I would like to say thanks to this website and its members as it has helped me a lot so far before I even became a member, so thanks a lot :)


No to get back on target with this thread, i am making this because i have recently bought a router "Asus RT-AC66U" and i want to know if its possible to mirror all traffic going in and out the router, and mirror it to a specific IP address where a computer running Wireshark will be waiting to capture the data.

Please help me with this as I have looked everywhere and I cant see anything about it.

Thanks a lot

- Ivana
 
I am not aware of a way to do this with that router (or DD-WRT).

However, you could, if you wanted to, sit a semi-managed/managed switch between your router and the WAN, and then mirror the port traffic from the router's switch port to a computer with two NICs.

One NIC is simply the "listening port" and the other NIC sits internal to the network, gets an IP address, etc, etc.

Switches don't care about IPs, so you could set whatever static IP you wanted to on that computer's snooping port.

Not positive that would work, but it should.

Probably better ways of doing this, but I don't know if there is with that router and any possible firmware out there.
 
IvanaSmith said:
Hello Members at Small Net Builder.

I would like to say thanks to this website and its members as it has helped me a lot so far before I even became a member, so thanks a lot :)


No to get back on target with this thread, i am making this because i have recently bought a router "Asus RT-AC66U" and i want to know if its possible to mirror all traffic going in and out the router, and mirror it to a specific IP address where a computer running Wireshark will be waiting to capture the data.

Please help me with this as I have looked everywhere and I cant see anything about it.

Thanks a lot

- Ivana
Click to expand...

You can do that with a lightly managed ethernet switch like a Netgear GS108. It's called port mirroring.
 
Setup port mirroring on the switch to mirror the switch port that goes to the router (or the port that goes to the modem, either one), to a port that is then connected to the machine you are running wireshark on.

If that machine has a single ethernet port, it is not going to be able to get to the internet (unless your ISP supplies 2 or more IP addresses to you, as your router will be using the IP your ISP supplies you). Setup that port with a static "local" IP address like 10.0.0.1.

If you have 2 or more ethernet ports (or add a NIC to gain another port), you do the above for the port you are wiresharking, and then setup the second port connected to a router LAN port (or some other switch port BEHIND the router). Leave that one to get it's IP address dynamically, that can then get you out to the internet. You may need to set a routing rule in your OS to weight the ethernet port connected to your LAN/behind your router highly and the other port low, so that all internet traffic only passes through the internal network ethernet port, and doesn't try to go out through the externally connected ethernet port.

*edit* as another thought, you might be able to setup the switch that the router and modem are connected to, to mirror the router traffic to the PC connected to the switch running wireshark, and then setup a MAC based ACL (access control list) rule to deny the PC access. I THINK that the PC would still get all of the mirrored packets, but wouldn't actually be able to send anything over that port, so you might not have to muck with any kind of setup of that ethernet port at all or routing rules (other than the minimum needed for wireshark to work). Dunno, never tried anything like port mirroring + ACLs.
 
Last edited:
IvanaSmith said:
So I would buy this and put it inbetween my router and the modem, then what would i do after that?
Click to expand...

Adding to what is said above
Simple.
Take a lightly managed switch. Use its admin interface (browser or Java app).
If the IP traffic of interest is on switch port 1
Setup switch to mirror port 1 to port 2.
Connect a PC to port 2.
On that PC, run WireShark or other logging software.

There are many small 8 port lightly managed switches on the market
http://www.neweggbusiness.com/Produ...B-33-122-381&gclid=CLKP7fWgicECFRVufgodXlcABA

I found one of the above on eBay for $50. Used but like-new. Not the best admin software, but it suits my need and wallet.
 
Oh in addition you could also do the port mirroring internally where the switch is between the router and internal traffic and then mirror the port that goes to the router to another port on the switch and wireshark it.

Downside is, if it is a Wifi-router, you wouldn't see that WLAN to WAN and WAN to WLAN traffic at all and you wouldn't see any possible "spurious" traffic that doesn't make it inside your network past the router.
 
You must log in or register to reply here.

Similar threads

J
Newbie NOK 5G21 Troubleshooting. Router Suggestion$?
Replies
2
Views
317
sfx2000
sfx2000
P
Asus XT12 Pro reboots when long data transfers
2
Replies
22
Views
2K
OzarkEdge
OzarkEdge
D
Capturing inbound/outbound traffic that was (somewhat) split through two interfaces with tcpdump
Replies
5
Views
429
drmnsamoliu
D
C
Need some help with a DHCP problem
Replies
9
Views
362
ComputerSteve
C
R
Port mirroring makes router freeze
Replies
0
Views
737
raca
R

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 687 (members: 12, guests: 675)
Top