I want to mirror all traffic (also VPN, WLAN, WAN) from a consumer router (TPLink WR1043ND v.1.x) to a snort sensor located in the same network, but without extra hardware! The mirroring has to be done by the router (running OpenWrt Barrier Breaker).
Mirroring the WAN port of the router would even be supported by the current firmware, but the data of this stream is useless to me, because it does not contain the internal IPs of the devices connected to the router. I want the mirrored traffic from inside the router, with all internal IPs.
So, I quickly thought about
tcpdump -i any. But to my knowledge it is not possible to configure ‘tcpdump’ to stream the mirrored traffic directly to the snort sensor? (without generating and saving enormous pcap-files to the harddrive)?
How do I solve this?
A patch for OpenWrt to enable port mirroring on your hardware is available, though it has received only limited testing. You can, of course, apply and test it yourself.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.