Created
April 28, 2018 15:02
-
-
Save wkz/63a8fa04c2cee2bc75e18863dd9aafc8 to your computer and use it in GitHub Desktop.
Mirror a set of interfaces to a sniffer interface, ignoring 802.1Q tag information.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#/!bin/sh | |
# usage: sniff.sh <interface> [<interface>...] | |
# create a dummy to mirror all traffic to | |
ip link add dev sniffer type dummy | |
ip link set dev sniffer up | |
# intermediate dummy, needed because AF_PACKET-sockets gets the packet | |
# as seen before any tc-actions have been applied to it. | |
ip link add dev untag type dummy | |
ip link set dev untag up | |
# for all tagged packets ingressing on `untag`, pop the VLAN tag and | |
# redirect to `sniffer`. | |
tc qdisc add dev untag ingress | |
tc filter add dev untag parent ffff: prio 1 protocol 802.1Q matchall action vlan pop continue | |
tc filter add dev untag parent ffff: prio 2 protocol all matchall action mirred ingress redirect dev sniffer | |
# for each interface we want to listen on, send a copy to `untag`. | |
while [ $# -gt 0 ]; do | |
tc qdisc add dev $1 ingress | |
tc filter add dev $1 parent ffff: protocol all matchall action mirred ingress mirror dev untag | |
shift | |
done | |
# tcpdump -i sniffer |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment