gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sniffer mode

Browse Source
This commit is contained in:
CyberMind-FR 2025-12-23 21:10:33 +01:00
parent 782675e5b3
commit a23cfb6dd1
2 changed files with 398 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -91,11 +91,13 @@ Network intelligence dashboard with DPI for OpenWrt.
Configure different network operation modes with one click.
**Features:**
- 🔍 **Sniffer Mode**: Transparent bridge for traffic analysis
- 📶 **Access Point**: WiFi AP with 802.11r/k/v roaming
- 🔄 **Relay/Extender**: Network relay with WireGuard
- 🌐 **Router Mode**: Full router with proxy and HTTPS frontend
- 🎛️ One-click mode switching with auto-backup
- 🔍 **Sniffer Bridge Mode**: Transparent inline bridge for traffic analysis with Netifyd DPI
- 👁️ **Sniffer Passive Mode**: Out-of-band monitoring via SPAN/TAP for zero-impact forensics
- 📶 **Access Point**: WiFi AP with 802.11r/k/v roaming and band steering
- 🔄 **Relay/Extender**: Network relay with WireGuard VPN and MTU optimization
- 🌐 **Router Mode**: Full router with proxy, HTTPS frontend, and virtual hosts
- 🎛️ One-click mode switching with automatic backup
- 📊 Real-time interface and service status monitoring
[View Details](luci-app-network-modes/README.md)

396
luci-app-network-modes/README.md
View File

@ -10,12 +10,118 @@ Configure your OpenWrt router for different network operation modes with a moder
## 🎯 Network Modes
### 🔍 Sniffer / Passthrough Mode
Transparent Ethernet bridge without IP address for passive network analysis.
- **Bridge mode** without IP configuration
- **Promiscuous mode** for all traffic capture
### 🔍 Sniffer Bridge Mode (Inline / Passthrough)
Transparent Ethernet bridge without IP address for in-line traffic analysis. All traffic passes through the device.
**Network Configuration:**
- **Transparent bridge** mode (br-lan) without IP address assignment
- **Promiscuous mode** enabled on all bridged interfaces
- **No DHCP server** - invisible on the network
- **No routing** - pure layer 2 forwarding
- **Inline deployment** - device inserted in traffic path
- Perfect insertion point between gateway and network devices
**Traffic Analysis Features:**
- **Netifyd integration** for real-time Deep Packet Inspection (DPI)
- **Application detection** (Netflix, YouTube, Zoom, torrent, etc.)
- **Protocol identification** (HTTP/HTTPS, DNS, QUIC, SSH, etc.)
- **Flow tracking** with source/destination analysis
- **Bandwidth monitoring** per application and protocol
**Use Cases:**
- 📊 **Network forensics** - Capture all traffic passing through
- 🔍 **Security monitoring** - Detect anomalies and threats inline
- 🎯 **Bandwidth analysis** - Identify bandwidth hogs
- 🧪 **Protocol debugging** - Debug network issues
- 📈 **Compliance monitoring** - Log all network activity
**Physical Setup (Inline):**
```
Internet Router (Gateway)
[WAN Port] OpenWrt (Bridge Mode) [LAN Ports]
Network Devices (Switches, APs, Clients)
```
**Advantages:**
- ✅ Sees 100% of network traffic
- ✅ Can apply firewall rules if needed
- ✅ Can perform traffic shaping
- ⚠️ Single point of failure (if device fails, network is down)
---
### 👁️ Sniffer Passive Mode (Out-of-band / Monitor Only)
Pure passive monitoring without affecting network traffic. Device only listens, traffic doesn't flow through it.
**Network Configuration:**
- **Monitor mode** interface (no bridge, no forwarding)
- **Promiscuous mode** for packet capture
- **No IP address** on monitoring interface
- **Read-only** - cannot affect network traffic
- Connected via **SPAN/mirror port** or **network TAP**
**Traffic Analysis Features:**
- **Netifyd integration** for Deep Packet Inspection
- Perfect for network forensics and traffic analysis
- **Full packet capture** with tcpdump/Wireshark
- **Application and protocol detection**
- **Flow analysis** and bandwidth monitoring
- **Zero network impact** - invisible to network
**Use Cases:**
- 🔬 **Pure forensics** - Monitor without any network impact
- 🛡️ **IDS/IPS** - Intrusion detection without inline risk
- 📡 **Network TAP monitoring** - Dedicated monitoring infrastructure
- 🔒 **Secure environments** - No risk of disrupting production traffic
- 📊 **Long-term monitoring** - Continuous passive observation
**Physical Setup Options:**
**Option 1: Switch SPAN/Mirror Port**
```
Internet Router
Managed Switch (with port mirroring)
├─→ [Port 1-23] Normal traffic
└─→ [Port 24 SPAN] ──→ OpenWrt [eth0] (Monitor)
```
**Option 2: Network TAP**
```
Internet Router ──→ [TAP Device] ──→ Switch
OpenWrt [eth0] (Monitor)
```
**Option 3: Hub (Legacy)**
```
Internet Router ──→ [Hub] ──→ Switch
OpenWrt [eth0] (Monitor)
```
**Advantages:**
- ✅ Zero network impact - no single point of failure
- ✅ Completely invisible to network
- ✅ Cannot be detected or attacked
- ✅ Perfect for compliance and security monitoring
- ⚠️ Requires SPAN port, TAP, or hub
- ⚠️ May miss traffic depending on setup
**Integration with SecuBox:**
Both modes work seamlessly with:
- **Netifyd Dashboard** for DPI visualization
- **CrowdSec** for threat detection
- **Netdata** for metrics and graphs
- **Client Guardian** for access control decisions
**Advanced Options:**
- Capture to PCAP files for offline analysis
- Export to SIEM (Elasticsearch, Splunk, etc.)
- Filter specific protocols or ports
- Traffic replay for testing
- Long-term packet storage on USB/NAS
### 📶 Access Point Mode
WiFi access point with advanced optimizations.
@ -161,9 +267,16 @@ config network-modes 'config'
option backup_config '1'
config mode 'sniffer'
option mode_type 'bridge' # 'bridge' or 'passive'
option bridge_interface 'br-lan'
option monitor_interface 'eth0' # For passive mode
option netifyd_enabled '1'
option promiscuous '1'
option pcap_capture '0'
option pcap_path '/tmp/captures'
option mirror_port ''
option capture_filter ''
option span_port_source '' # For passive mode with SPAN
config mode 'accesspoint'
option wifi_channel 'auto'
@ -184,6 +297,279 @@ config mode 'router'
option https_frontend '0'
```
## Sniffer Mode Examples
### Basic Sniffer Bridge Setup (Inline)
1. **Enable Sniffer Bridge Mode** via LuCI:
- Navigate to **Network → Network Modes**
- Select **Sniffer Bridge Mode (Inline)**
- Enable **Netifyd Integration**
- Click **Apply Mode**
2. **Physical Connection**:
```
Modem/ISP → [WAN] OpenWrt [LAN1-4] → Switch/Devices
```
3. **Verify Configuration**:
```bash
# Check bridge status
brctl show br-lan
# Verify no IP on bridge
ip addr show br-lan
# Check promiscuous mode
ip link show br-lan | grep PROMISC
# Verify Netifyd is running
/etc/init.d/netifyd status
```
---
### Passive Sniffer Setup (Out-of-band)
#### Option A: Using Switch SPAN Port
1. **Configure Switch SPAN/Mirror Port**:
- Access your managed switch configuration
- Configure port mirroring:
- **Source ports**: Ports to monitor (e.g., uplink port)
- **Destination port**: Port connected to OpenWrt (e.g., port 24)
- **Direction**: Both (ingress + egress)
2. **Configure OpenWrt Passive Mode**:
```bash
# Via UCI
uci set network-modes.sniffer.mode_type='passive'
uci set network-modes.sniffer.monitor_interface='eth0'
uci set network-modes.sniffer.netifyd_enabled='1'
uci commit network-modes
# Apply configuration
ubus call network-modes apply_mode '{"mode":"sniffer"}'
```
3. **Configure Monitor Interface**:
```bash
# Remove IP from monitoring interface
ip addr flush dev eth0
# Enable promiscuous mode
ip link set eth0 promisc on
# Bring interface up
ip link set eth0 up
# Verify interface state
ip link show eth0
```
4. **Start Netifyd on Monitor Interface**:
```bash
# Edit /etc/netifyd.conf
{
"interfaces": {
"internal": [],
"external": ["eth0"]
},
"enable_sink": true
}
# Restart Netifyd
/etc/init.d/netifyd restart
```
5. **Verify Passive Capture**:
```bash
# Test with tcpdump
tcpdump -i eth0 -c 100
# Check Netifyd is seeing traffic
ubus call luci.netifyd status
# Monitor live flows
ubus call luci.netifyd flows | jq '.flows | length'
```
#### Option B: Using Network TAP
1. **Physical Setup**:
```
Router [eth0] ──→ [TAP IN]
[TAP MONITOR] ──→ OpenWrt [eth0]
[TAP OUT] ──→ Switch
```
2. **Configure OpenWrt**:
```bash
# Same as SPAN port configuration above
uci set network-modes.sniffer.mode_type='passive'
uci set network-modes.sniffer.monitor_interface='eth0'
uci commit network-modes
```
3. **Advantages of TAP**:
- ✅ Hardware-based, zero packet loss
- ✅ Full duplex monitoring (both directions)
- ✅ No switch configuration needed
- ✅ Cannot be remotely disabled
- ⚠️ Requires physical TAP device
#### Option C: Using Hub (Budget Option)
1. **Physical Setup**:
```
Router ──→ [Hub Port 1]
[Hub Port 2] ──→ Switch
[Hub Port 3] ──→ OpenWrt [eth0]
```
2. **Configure OpenWrt**:
```bash
# Same passive configuration
uci set network-modes.sniffer.mode_type='passive'
uci set network-modes.sniffer.monitor_interface='eth0'
uci commit network-modes
```
3. **Limitations**:
- ⚠️ Only works with 10/100Mbps networks
- ⚠️ Half-duplex only
- ⚠️ Adds latency
- ⚠️ Not recommended for modern networks
### Advanced Capture Configuration
**Capture HTTP traffic to PCAP:**
```bash
# Via UCI
uci set network-modes.sniffer.pcap_capture='1'
uci set network-modes.sniffer.pcap_path='/mnt/usb/captures'
uci set network-modes.sniffer.capture_filter='port 80 or port 443'
uci commit network-modes
# Manual tcpdump
tcpdump -i br-lan -w /tmp/capture.pcap port 80 or port 443
```
**Monitor specific applications:**
```bash
# Watch Netflix traffic
tcpdump -i br-lan -n 'host nflxvideo.net or host netflix.com'
# Monitor DNS queries
tcpdump -i br-lan -n 'port 53'
# Capture BitTorrent
tcpdump -i br-lan -n 'port 6881:6889'
```
**Real-time bandwidth per IP:**
```bash
# Using iftop
iftop -i br-lan -P
# Using nethogs (if installed)
nethogs br-lan
# Using Netifyd API
ubus call luci.netifyd flows | jq '.flows[] | select(.bytes_total > 1000000)'
```
### Integration Examples
**Export to Elasticsearch:**
```bash
# Netifyd can export to Elasticsearch for centralized logging
# Configure in /etc/netifyd.conf
{
"sink": {
"type": "elasticsearch",
"url": "http://elastic.local:9200",
"index": "netifyd"
}
}
```
**Feed data to Grafana:**
```bash
# Netifyd exports Prometheus metrics
curl http://192.168.1.1:8081/metrics
```
**Integrate with CrowdSec:**
```bash
# CrowdSec can parse Netifyd logs for threat detection
# Configure in /etc/crowdsec/acquis.yaml
filenames:
- /var/log/netifyd.log
labels:
type: netifyd
```
### Performance Tuning
**Optimize for high-bandwidth networks (1Gbps+):**
```bash
# Increase ring buffer size
ethtool -G eth0 rx 4096 tx 4096
ethtool -G eth1 rx 4096 tx 4096
# Disable hardware offloading for accurate capture
ethtool -K eth0 gro off gso off tso off
ethtool -K eth1 gro off gso off tso off
# Set bridge to forwarding mode
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
```
**USB Storage for PCAP captures:**
```bash
# Mount USB drive
mkdir -p /mnt/usb
mount /dev/sda1 /mnt/usb
# Configure rotation
uci set network-modes.sniffer.pcap_path='/mnt/usb/captures'
uci set network-modes.sniffer.pcap_rotation='daily'
uci set network-modes.sniffer.pcap_retention='7'
uci commit network-modes
```
### Troubleshooting
**No traffic visible:**
```bash
# Verify bridge members
brctl show
# Check interface states
ip link show
# Test with tcpdump
tcpdump -i br-lan -c 10
# Check Netifyd logs
logread | grep netifyd
```
**High CPU usage:**
```bash
# Disable DPI if not needed
uci set network-modes.sniffer.netifyd_enabled='0'
# Reduce capture scope with filters
tcpdump -i br-lan 'not port 22' -w /dev/null
# Check for hardware offloading
ethtool -k eth0 | grep offload
```
## Security
- Mode switching creates automatic backups