Setting up a linux Bridge / Tap to capture network traffic for troubleshooting or intrusion detection




Capturing traffic can be tricky at times. you have a few things to consider:

  1. placement of the tap/bridge/port span or mirror
  2. throughput in each direction
  3. throughput of the hardware used for capture
For the placement of where you capture traffic I suggest you follow the guidance on this web page:
https://docs.zeek.org/en/current/monitoring.html#instrumentation-and-collection

You may hit limits due to your router having an integrated wifi in which case you may have to get creative but that is beyond the scope of this blog entry.

The next consideration is to look at what the maximum bi-directional throughput is and that determines the requirements for the next item.

The third consideration on a network bridge is the hardware path on the host you are using for the bridge. If the traffic you want to monitor is under 60MBps total then some USB 2.0 ports with Gig Ethernet adapters will likely handle the load. Otherwise you will need a PCI-E network adapter or USB 3.0 network adapters and 3.0 host ports to have enough bandwidth.

Configuring a bridge on Kali linux

In this example I have a Kali linux laptop with two USB ethernet adapters that show up to the OS as eth0 and eth1. IPv6 is also being disabled on the interfaces to keep things cleaner because my ISP does not support IPv6.

The first step is install the bridge-utils package along with a monitoring tool called nload to simplify monitoring traffic and a tool to simplify saving your iptables.

sudo apt install -y bridge-utils nload iptables-persistent
As part of the iptables-persistent install will be asked if you want to save your current iptables rules. Those rules will be saved to the files 
/etc/iptables/rules.v4
and 
/etc/iptables/rules.v6
 
After the software install, plug in the USB adapters if that is what you are using. Then edit the /etc/network/interfaces file and add the following to disable IPv6, create the interfaces for the USB adapters, and create the bridge: 
NETWORKING_IPV6=no
IPV6_AUTOCONF=no

allow-hotplug eth0
iface eth0 inet manual
pre-up ifconfig $IFACE up
pre-down ifconfig $IFACE down

allow-hotplug eth1
iface eth1 inet manual
pre-up ifconfig $IFACE up
pre-down ifconfig $IFACE down

auto br0
iface br0 inet manual
bridge_ports eth0 eth1
Then to validate things were correct I suggest a reboot be performed. At this point the bridge should have been created and you can validate that bridge and ethernet adapters are present using the command: 
sudo ip address
Next is to allow traffic to pass using this command: 
sudo iptables -A FORWARD -i br0 -o br0 -j ACCEPT
At this point you can monitor the packets being passed using the previously installed nload tool: 
sudo nload -m
If you want to save the iptables entry so it loads upon reboot you can use this command:
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
If things are not working properly then follow the guidance from this web page: http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html 

These same operations should work with any linux distribution. Some of the file locations/contents may change along with commands used but this should cover 90% of systems. 

Unknown #1 How will this behave with MAC address based authentication or with 802.1x port based authentication?
Unknown #2 If using a USB 2.0 interface/adapter and traffic exceeds 60/MBps will flow control bubble down from the hardware choke points to properly slow things or will there be dropped traffic?

At this point you should be able to use applications like tcpdump or wireshark to monitor traffic passing through the interface. In addition to those tools there are some other projects that could make use of a network bridge like these:

Passer - A Passive Sniffer and Inventory Tool
RITA - Real Intelligence Threat Analytics
ntopng - ntopng® is a web-based network traffic monitoring application
Zeek - An Open Source Network Security Monitoring Tool
Snort - Network Intrusion Detection & Prevention System
Suricata - Suricata is a high performance, open source network analysis and threat detection software

Enjoy your new network visibility!

Comments

Post a Comment

Popular posts from this blog

Inventory your business

Image
 The start of getting a good grasp on your company's cybersecurity posture is to gather an inventory of your business. An example of why this is necessary is: I recently had a conversation with a business that had scanned copies of all the checks from transactions they did with customers. They had years worth of scans of these documents. If they were to have the data stolen, being they are in Texas, they would likely been liable for complying with the  Texas Identity Theft Enforcement and Protection Act (TITEPA) For TITEPA, if you fail to take reasonable action to comply with the breach notification requirements of the law, the Texas Attorney General may seek civil penalties from $2,000 to $50,000 per violation. In cases of unlawful data disposal, your business can be fined up to $500 for each record. If you think it will never happen to your company, check out this list from the TX AG office and click on the right hand most column to sort by date: https://oag.my.site.com/datasecur
Read more

Microsoft Windows disk filling up?

Image
If you've been using your Windows computer for more than a year, you may have noticed that the free disk space gradually dwindles, or perhaps you're encountering issues installing updates. Don't panic, there's a way to address this by using couple of commands. There are two tools that will likely clean things up for you. The first is DISM, short for Deployment Image Servicing and Management. I suggest you run this tool once to clean up and a second time to perform a health check on windows. Before continuing, save all work and close all applications. With everything closed out the next step is to launch an Administrator command prompt to run these commands. Click on the Start Menu and type "cmd" into the search bar. In the search results, you'll see "Command Prompt." Right-click on it and select "Run as administrator." Next you will need to copy and paste or type in the commands. You will run them one after the other. Be patient as they
Read more

De-cluttering Windows 10 and 11 with less than 100 clicks

Image
First I will state that if you use a managed service provider for your small business, and they are good, they "should" handle this for you as part of their service unless you are paying rock bottom prices. You get what you pay for and IT folk work hard to know what to do to optimize your systems for productivity. There are three main steps to this:  Open a powershell window as administrator copy and pasting some powershell code to run in that window press enter after pasting to run the code For Windows 10: Click on the Start button or press the Windows key on your keyboard. Type "PowerShell" into the search bar. Right-click on the "Windows PowerShell" result and select "Run as administrator". If the User Account Control dialog box appears, click "Yes" to allow the app to make changes to your device. For Windows 11: Right-click on the Start button or press the Windows key + X on your keyboard. From the menu that appears, select "Wi
Read more