Traffic mirroring in Linux

It comes in hand when analyzing traffic to forward a copy of the traffic to a specific IP where a machine is listening and running Wireshark & stuff. It’s very useful for routers that don’t have the capabilities to run network analysis tools (like DD-WRT).

Just run the following commands replacing the xxx.xxx.xxx.xxx field with the IP of your listening machine:

# iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw xxx.xxx.xxx.xxx
# iptables -t mangle -A PREROUTING -s 0.0.0.0/0 -j ROUTE --tee --gw xxx.xxx.xxx.xxx

2 thoughts on “Traffic mirroring in Linux

  • February 15, 2016 at 14:20
    Permalink

    Hello. Are you sure that your command is correct ? I tried on my Linux and it does not recognize –tee.

    sudo iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE –tee –gw 10.9.0.2
    iptables v1.4.21: unknown option “–tee”

    Reply
    • February 26, 2016 at 16:40
      Permalink

      Yes, it works for me on various Linux systems. What is your configuration (system/kernel)?

      Reply

Leave a Reply