Skip to main content

Setup TAP with MIP

Intro​

The following instructions will walk you through how capture packets while your MIP acts as a transparent TAP.

Hardware setup​

To help remember the steps for setting up a TAP between a server and a router you can use the following the D.A.W.S.O.N. method:


Disconnect the Ethernet cable between the Server and the Router.

Attach one Ethernet cable from the Server to the TAP Laptop’s first network interface (ETH1).

Wire a second Ethernet cable from the TAP Laptop’s second network interface (ETH2) to the Router.

Secure all connections to ensure cables are firmly seated and interfaces are recognized by the laptop.

Observe link lights on all devices (Server, Laptop, Router) to confirm physical connectivity.

Note the interface names on the TAP Laptop (e.g., enp0s31f6, enp0s20f0u3) for use in software configuration.


Software Steps​

  1. Figure out your interface names and save them to vars. You can use the RHEL setup tool using option [ 3 ] Configure RHEL networking

    # update with your interface
    ETH1=enp0s31f6
    # update with your second interface
    ETH2=enp0s20f0u3
  2. Set interfaces to promiscuous mode

    sudo ip link set $ETH1 promisc on
    sudo ip link set $ETH2 promisc on
  3. Create the bridge. This is where we'll capture traffic later

    sudo ip link add name br0 type bridge
  4. Add interfaces to the bridge

    sudo ip link set $ETH1 master br0
    sudo ip link set $ETH2 master br0
  5. Verify previous three steps using

    sudo ip link show $ETH1
    sudo ip link show $ETH2
    sudo ip link show br0
  6. Create ruleset to allow forwarding

    sudo nft -f -<<EOF
    flush ruleset

    table bridge filter {
    chain forward {
    type filter hook forward priority 0; policy accept;
    iifname {"$ETH1", "$ETH2"} oifname {"$ETH1", "$ETH2"} accept
    }
    }
    EOF
  7. Verify NFT ruleset

    sudo nft list ruleset
  8. Bring up the interfaces

    sudo ip link set $ETH1 up
    sudo ip link set $ETH2 up
    sudo ip link set br0 up
  9. start your capture

    sudo tcpdump -i br0 -C 1000 -W 10 -w capture.pcap
  10. wait while you sniff packets...

  11. end capture:
    ctrl + c

  12. copy pcaps to wherever they need to be

  13. chown your files to be able to inspect them

    sudo chown assessor:assessor ./capture.pcap
  14. inspect newly chown'd files

    wireshark ./capture.pcap
  15. ???

  16. Profit!