Folks, My home network is set up as MODEM <--> WAP (WRT54GL) <--> 16 port switch (GS116E). I have a 2nd NIC in my monitor computer connected to a port on the GS116E set up to mirror the computer ports. I do not mirror the NAS or uplink ports. Then I tee at the router which sends a copy of any traffic handled by the access point (iptables -A POSTROUTING -t mangle -j ROUTE --gw 10.0.0.199 --tee). So far so good. By not mirroring the uplink or NAS ports on the switch I don't get extra packets when file transfers occur, nor from traffic bound for the WAN or the WLAN. The one trouble I have left is that any traffic to/from the WAN from a computer on the switch get doubled (one copy from the tee and one from the port mirror). Are there any suggestions how I might eliminate the duplicates? Maybe some set of commands at the WAP (WRT54GL running Tomato)? I could look for a cheap NAT device to go between the modem and the switch and move the WAP onto the switch I guess, but I was looking for a "no added device" solution. THANKS! ron <>< asked 19 Jan '12, 19:38  KK1L |
One Answer:
You could capture the traffic with duplicates, and then remove them from the trace file afterwards, using editpcap -d. I just answered a similar question here, so you might want to look at that one, too. Since I already saw in another post that you're having problems with the MAC addresses in the "duplicate" packets being different (while the rest stays the same) I have to add that editcap -d might not work as expected, though. editcap looks for exact duplicates by calculating MD5 hashs on frames, and if the MAC is different, so is the hash. Which will lead to "duplicates" still remaining in the "cleaned" trace file since the hashs didn't match with the original packets. A possible workaround could be to do the cleanup process in a two step way:
Other than that, you're probably out of luck, since removing duplicates expects them to be 100% the same, bit by bit. answered 20 Jan '12, 04:07  Jasper ♦♦ |
