Skip to content

Instantly share code, notes, and snippets.

@wkz
Created April 28, 2018 15:02
Show Gist options
  • Save wkz/63a8fa04c2cee2bc75e18863dd9aafc8 to your computer and use it in GitHub Desktop.
Save wkz/63a8fa04c2cee2bc75e18863dd9aafc8 to your computer and use it in GitHub Desktop.
Mirror a set of interfaces to a sniffer interface, ignoring 802.1Q tag information.
#/!bin/sh
# usage: sniff.sh <interface> [<interface>...]
# create a dummy to mirror all traffic to
ip link add dev sniffer type dummy
ip link set dev sniffer up
# intermediate dummy, needed because AF_PACKET-sockets gets the packet
# as seen before any tc-actions have been applied to it.
ip link add dev untag type dummy
ip link set dev untag up
# for all tagged packets ingressing on `untag`, pop the VLAN tag and
# redirect to `sniffer`.
tc qdisc add dev untag ingress
tc filter add dev untag parent ffff: prio 1 protocol 802.1Q matchall action vlan pop continue
tc filter add dev untag parent ffff: prio 2 protocol all matchall action mirred ingress redirect dev sniffer
# for each interface we want to listen on, send a copy to `untag`.
while [ $# -gt 0 ]; do
tc qdisc add dev $1 ingress
tc filter add dev $1 parent ffff: protocol all matchall action mirred ingress mirror dev untag
shift
done
# tcpdump -i sniffer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment