Monitoring traffic from OpenWRT

[pbmilley]

I've done some searching through the discussion threads and didn't find anything that directly addressed my question, but apologize if the answer is somewhere I overlooked.

I'm running SO on a small network with a couple of switches and a wireless router running OpenWRT. SO is on a standalone configuration with 3 NICS: 1-management and 2 sniffing in a bond0 config. Currently running SO 2.3.40.

I'd like to be able to monitor the wireless traffic on the WLan using SO, but I'm unsure how to capture the traffic. OpenWRT allows for mirroring, but that only includes the wired switch traffic. And I'm already getting the WAN traffic, but that doesn't give me the local IP for source/destination in monitored packets, and doesn't work well with the Suricata rules (since the public IP isn't in the $HOME lan).

One suggestion for this was to use the TEE command in the OpenWRT iptables firewall config to "mirror" the traffic to a network sniffer. However, this would require an IP address to send the traffic to. Since the Bond0 interfaces don't have IPs, I'm not sure how to make this work. I don't believe sending the traffic to the management interface would be the recommended way to go, and I'm not even sure this would work since that interface isn't monitored.

Any suggestions?

[brazorfajeje]

Have you found a solution to this problem?
I too wanted to try to create a traffic mirror and had come to the use of tee as a solution, but I came to the same problem as you with the interface.

[InfosecGoon]

I think people generally pick up traffic from wireless devices with a tap or SPAN at the interface between the AP and the wired network. Are you trying to capture traffic between two wireless clients?