Setting Up Router Traffic Mirroring to Wireshark
Last month we published a blog post about setting up specific network conditions for software testing. In that blog post we shared our knowledge on how to set up specific network conditions using built-in tools in your web browsers or operating systems and explained a more sophisticated solution based on a router. Today we want to advance this topic further with useful information on traffic mirroring to Wireshark. This technique is useful for testing how applications are communicating between themselves or remote devices without interfering with device itself.
When it is necessary to monitor mobile device traffic and capture network traces with Wireshark, iptables-mod-tee library allows network router to mirror all traffic from a specific Client (for example, a mobile device) to another host. This example will show you how to capture mobile device traffic to a host computer with Wireshark.
Router setup
First we need to configure our router running OpenWrt firmware. We are using TP-Link AC1750 (Archer C7) with 14.07 Barrier Breaker, but you can use another compatible router (see full list here).
- SSH to the router and update the list of available packages. Add SSH public key for passwordless authentication:
opkg update
- Install iptables-mod-tee package:
opkg install iptables-mod-tee
- Check if package installed successfully:
opkg list-installed | grep "mod-tee"
A quick word of caution: iptables-mod-tee is a kernel module and it should be loaded before we try to use it.
Let’s load it by running: modprobe xt_TEE
. If it doesn’t work, just restart the router.
In this case we have a test device connected to a router with network access. First we need to connect another machine (monitoring workstation) with monitoring software (Wireshark) to the same network and set up the router for traffic mirroring. As soon as the test device starts using network, router will forward all upstream and downstream test device packets to a monitoring workstation.
Set traffic rules
Port mirroring is used on a network switch to send a copy of network packets seen on mobile device to a network monitoring connection port. This is commonly used for network appliances that require monitoring of network traffic such as an intrusion detection system, passive probe. It is also used in software development and debugging of communication that requires capturing the network traffic.
The port mirroring feature:
- Allows you to monitor network traffic with an external network analyzer.
- Forwards a copy of each incoming and outgoing packet to a specific port.
- Is used as a diagnostic tool, debugging feature, or means of fending off attacks.
- Assigns a specific port to copy all packets to.
- Allows inbound or outbound packets to switch to their destination and to be copied to the mirrored port.
We will be doing port mirroring with iptables. It contains five tables:
- NAT table – used for network address translation (e.g. port forwarding);
- RAW table – used only for configuring packets so that they are exempt from connection tracking;
- FILTER table – is the default table, and is where all the actions typically associated with a firewall take place;
- SECURITY table – used for Mandatory Access Control networking rules;
- MANGLE table – used for specialized packet alterations (e.g. cloning).
We need to alter MANGLE table because it permits modification of packets going through our router. To be more specific, we will be cloning packets.
Set traffic mirror rules to capture all traffic of TEST_DEVICE_IP_ADDRESS
to MONITORING_COMPUTER_IP_ADDRESS
. Add iptables rules to mirror upstream and downstream traffic.
iptables -A PREROUTING -t mangle -i br-lan ! -d <TEST_DEVICE_IP_ADDRESS> -j TEE --gateway <MONITORING_WORKSTATION_IP_ADDRESS>
iptables -A POSTROUTING -t mangle -o br-lan ! -s <TEST_DEVICE_IP_ADDRESS> -j TEE --gateway <MONITORING_WORKSTATION_IP_ADDRESS>
Capturing network traffic
When we have all setup configured on the router side we can move on and start capturing network traffic. There are several ways of getting network traffic for analysis. The Link conditioning firmware package allows to use Cloudshark to upload and access network traces for later analysis. Here we will look at getting network traces for analysis on our monitoring workstation. The network trace can be stored in a file (.pcap) for later analysis. First there are two ways of easy packet capturing:
- Use tcpdump or Wireshark in terminal to capture and store network traces.
Capture and store packets on Mac, Windows, Linux with following options:
-i interface of capture, host filters the ip address of interest
-G sets capturing duration
-w writes to file not icmp filters out ping requests (Wireshark or other packet capturing tools can be used here as well)
sudo tcpdump -w Desktop/New.pcap -i en4 not icmp and host 192.168.1.104 -G 15
- Open Wireshark GUI and select network interface to listen for data. Next set Display filter :
This example filters all traffic for specific IP address of a test device: ip.addr==<TEST_DEVICE_IP_ADDRESS>
We can get statistics of captured packets under Statistics > Capture File Properties in Wireshark. Here it is possible to get specific network statistics (network consumption and other) for the filtered traffic.
Conclusions
Linux iptables is a great tool for managing network and Linux firewall, therefore, also applicable for various network management purposes on network routers and mobile devices. The tutorial just scratched the surface of iptables usage.
The described setup is a fast way of getting network traffic information of any connected network device. Wireshark allows to perform in-depth analysis of the captured traffic and network consumption. It can be used to precisely measure the traffic sent / received from test device to any service as well as the network bandwidth consumed by device during the test.
This approach also allows debugging of decrypted traffic. Nowadays most of the traffic should be encrypted to prevent sniffing for packets and other sensitive data. There are several ways of decrypting TLS/SSL traffic in Wireshark (for browsers – Mozilla Firefox) or for debugging purposes. Most mobile traffic monitoring solutions require installing trust certificates to allow monitoring of encrypted traffic.