Hi, this post explains traffic mirroring on tplink TL-WR841N router.
Pr-requisites:
- The router is flashed with openWRT chaos_calmer 15.05.1 version. I explain that process in my previous post (post no. 4 Security –> Ethical hacking), which is a re flashing. For a wr841N v11 router with low memory space, this would be a good choice. I had issues with out of memory after installing the barrier_breaker v11 and LEDE 17.01.2.
For traffic mirroring, we need to add some iptable rules to the router. Therefore, first install the following.
root@mykali:~#ssh root@192.168.1.150 root@OpenWrt:~#opkg update root@OpenWrt:~#opkg install iptables-mod-tee root@OpenWrt:~#modprobe xt_TEE
Next, add ip table rules as follows: I will use a PC for monitoring, while a mobile app connected to the same network to access facebook account. So, once the rules are added I can sniff the traffic between mobile and facebook, using Wireshark on the sniffing machine.
Note*: Use the command “ifconfig” to find the ip address of PC
root@OpenWrt:~#iptables -A PREROUTING -t mangle -i br-lan ! -d <MOBILE_DEVICE_IP_ADD
RESS> -j TEE --gateway <PC_IP_ADDRESS>
root@OpenWrt:~#iptables -A POSTROUTING -t mangle -o br-lan ! -s <MOBILE_DEVICE_IP_AD
DRESS> -j TEE --gateway <PC_IP_ADDRESS>
Note*: To delete any rule execute the same command with replace -A with -D
iptables -D ...
The captured traffic can be analyzed using Wireshark.
- Select ‘etho’ channel
Query the Wireshark:
e.g.: ip.src==192.168.1.193 or ip.dst==192.168.1.193
Cheers !!! 🙂