version 2.9.45
When I say sniff, I mean a calea sniff.
I’m trying to do calea captures from a RB150 to a switchport that is mirroring my outgoing internet traffic.
I have one port that connects to the network for admin/dhcp and one port that goes to the mirrored switchport.
I’ve tried making the port a bridged port and capturing from the forward chain, with no luck. I thought perhaps since the traffic is bridging through, that it would want layer 2 addressing instead.
I setup a mangle in prerouting using the ether2 interface with source/destination the way I want and have it mark the packets. I see the counters going up, so it must be marking my traffic. When I try and do a sniff off of the forward chain and only specifying marked packets, it fails.
I also tried doing a bridge filter with the marked packets and capturing off of everything coming through the interface, but it won’t match the marked packets.
I have basically tried everything I can think of…anyone else have any suggestions?
If the CALEA is occuring in the “bridge” IE
ALL traffic is passing thru the 150.
Then check the CALEA section of the bridge (via terminal)
Craig
Yes, Craig is correct about bridged traffic, it should work fine.
Which rule is not working for you (configured at ‘interface bridge calea’) ?
What kind of traffic is not catched (how do you check this) ?
I got it working. It seems that since nothing is on the other side of the bridge port, the traffic would never traverse. It would send out a flood every 5 mins, but nothing else. I set the ageing time to 0 on the bridge and bingo, all traffic would traverse the bridge always. This allowed me to sniff from the forward chain properly.
Just to lay it out:
RB150.
port 1 goes to the network and is where admin access is available.
port 2 and 3 are configured to bridge.
a mirrored port from my switch goes to port 2. traffic that traverses this goes nowhere, this is only for calea sniffing.
nothing is plugged into port 3.
the bridge interface has the aging time set to 0, so that all traffic will traverse the bridge always.
I do the ip firewall calea trap the same as always, only i add in-interface=ether2.
Thanks for taking a look guys, hope this helps someone else.