In many debugging situations, you might need to analyze network traffic destined for a specific interface without physically accessing the network segment. A common setup involves:
- Machine A with two NICs (eth0 for production, eth1 for debug)
- Machine B connected directly to eth1 running Wireshark
- Need to mirror selective traffic from eth0 to eth1
The Linux kernel's netfilter framework (accessed via iptables) provides perfect capabilities for this through its TEE target and NFLOG features. Benefits include:
# Key advantages: - No custom code required - Works at kernel level (high performance) - Supports complex filtering rules - Preserves original packet flow
Here's the core solution using iptables' TEE target:
# Basic packet mirroring (all IPv4 traffic) sudo iptables -A PREROUTING -t mangle -i eth0 -j TEE --gateway 192.168.1.2 # Selective mirroring example (only HTTP traffic) sudo iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 80 -j TEE --gateway 192.168.1.2
For more granular control over what gets mirrored:
# Mirror only SSH traffic sudo iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j TEE --gateway 192.168.1.2 # Mirror traffic from specific subnet sudo iptables -A PREROUTING -t mangle -i eth0 -s 10.0.0.0/24 -j TEE --gateway 192.168.1.2 # Mirror traffic to specific destination IP sudo iptables -A PREROUTING -t mangle -i eth0 -d 203.0.113.45 -j TEE --gateway 192.168.1.2
When you need more flexibility than TEE provides:
# Set up NFLOG rule sudo iptables -A OUTPUT -t mangle -p tcp --dport 80 -j NFLOG --nflog-group 1 # Capture using tcpdump sudo tcpdump -i nflog:1 -w /tmp/captured.pcap
- Ensure proper routing exists between interfaces
- Be mindful of performance impact on high-traffic systems
- Use --tee-gateway parameter for specific routing needs
- Consider rate limiting with -m limit if needed
# Verify rules are active sudo iptables -t mangle -L -v -n # Check kernel logs for errors dmesg | grep -i tee # Test connectivity between interfaces ping -I eth1 192.168.1.2
When debugging network applications on a Linux system with multiple interfaces, you may need to mirror traffic from a production interface (eth0) to a dedicated debugging interface (eth1) without disrupting normal operations. This technique is particularly useful when:
- Physical access to the production network isn't available
- You need to analyze only specific traffic patterns
- Promiscuous mode isn't desirable for security reasons
The most efficient approach combines iptables for packet selection and tc (traffic control) for mirroring:
# Basic packet mirroring setup
sudo tc qdisc add dev eth0 handle ffff: ingress
sudo tc filter add dev eth0 parent ffff: protocol ip u32 match u32 0 0 action mirred egress mirror dev eth1For targeted debugging, we can add iptables rules to mark specific packets:
# Mark HTTP traffic destined for this host
sudo iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 1
# Mirror only marked packets
sudo tc filter add dev eth0 parent ffff: protocol ip handle 1 fw action mirred egress mirror dev eth1Here are some practical filtering combinations:
# Mirror SSH traffic
sudo iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 22 -j MARK --set-mark 2
# Mirror traffic from specific subnet
sudo iptables -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -j MARK --set-mark 3
# Complex protocol matching
sudo iptables -t mangle -A PREROUTING -i eth0 -p tcp --tcp-flags SYN,ACK SYN,ACK -j MARK --set-mark 4When implementing packet mirroring:
- Use specific filters to avoid overwhelming the debug interface
- Monitor system resources with 'top' and 'iftop'
- For high-traffic systems, consider rate limiting:
# Rate limit mirrored traffic to 1Mbps
sudo tc filter add dev eth0 parent ffff: protocol ip handle 1 fw \
police rate 1mbit burst 100k action mirred egress mirror dev eth1If mirroring isn't working:
- Verify interfaces are up: 'ip link show'
- Check tc rules: 'tc -s qdisc show dev eth0'
- Test basic connectivity: 'ping -I eth1 [debug_host_ip]'
- Inspect packet counters: 'iptables -t mangle -L -v'