Setup TAP with MIP
Introβ
The following instructions will walk you through how capture packets while your MIP acts as a transparent TAP.
Hardware setupβ
To help remember the steps for setting up a TAP between a server and a router you can use the following the D.A.W.S.O.N. method:
Disconnect the Ethernet cable between the Server and the Router.
Attach one Ethernet cable from the Server to the TAP Laptopβs first network interface (ETH1).
Wire a second Ethernet cable from the TAP Laptopβs second network interface (ETH2) to the Router.
Secure all connections to ensure cables are firmly seated and interfaces are recognized by the laptop.
Observe link lights on all devices (Server, Laptop, Router) to confirm physical connectivity.
Note the interface names on the TAP Laptop (e.g., enp0s31f6, enp0s20f0u3) for use in software configuration.
Software Stepsβ
-
Figure out your interface names and save them to vars. You can use the RHEL setup tool using option
[ 3 ] Configure RHEL networking# update with your interface
ETH1=enp0s31f6
# update with your second interface
ETH2=enp0s20f0u3 -
Set interfaces to promiscuous mode
sudo ip link set $ETH1 promisc on
sudo ip link set $ETH2 promisc on -
Create the bridge. This is where we'll capture traffic later
sudo ip link add name br0 type bridge -
Add interfaces to the bridge
sudo ip link set $ETH1 master br0
sudo ip link set $ETH2 master br0 -
Verify previous three steps using
sudo ip link show $ETH1
sudo ip link show $ETH2
sudo ip link show br0 -
Create ruleset to allow forwarding
sudo nft -f -<<EOF
flush ruleset
table bridge filter {
chain forward {
type filter hook forward priority 0; policy accept;
iifname {"$ETH1", "$ETH2"} oifname {"$ETH1", "$ETH2"} accept
}
}
EOF -
Verify NFT ruleset
sudo nft list ruleset -
Bring up the interfaces
sudo ip link set $ETH1 up
sudo ip link set $ETH2 up
sudo ip link set br0 up -
start your capture
sudo tcpdump -i br0 -C 1000 -W 10 -w capture.pcap -
wait while you sniff packets...
-
end capture:
ctrl+c -
copy pcaps to wherever they need to be
-
chown your files to be able to inspect them
sudo chown assessor:assessor ./capture.pcap -
inspect newly chown'd files
wireshark ./capture.pcap -
???
-
Profit!