<strong>TL;DR</strong>: The goal is to build a <strong>network tap</strong> using a <strong>Linux bridge</strong>, that can be used to sniff traffic off the wire, and build a device that could also be used for red team engagements.
I am currently using a "router" PC with four ethernet ports like pictured below but the actual hardware is unimportant. I intend to replicate my setup on other hardware with dual (Gigabit) ethernet - think single board computers like Orange Pi etc. Current setup:
Then I just use:
# create bridge nmcli connection add type bridge ifname br0 con-name br0 bridge.stp no ipv4.method disabled ipv6.method disabled autoconnect no # allow all kinds of traffic nmcli connection modify br0 bridge.group-forward-mask 65528 # add slave interfaces nmcli connection add type ethernet ifname enp6s0 con-name br0-enp6s0 master br0 nmcli connection add type ethernet ifname enp7s0 con-name br0-enp7s0 master br0 # start the bridge nmcli con up br0
tcpdump -n -i br0, or
tsharkon the device itself to sniff traffic right away. Network Manager is for convenience reasons too, because at some point I may want to drop the bridge, and reassign the interfaces for another purpose. I can also run pre-up scripts in /etc/NetworkManager/dispatcher.d/pre-up.d/ if necessary. Since I have a pure layer 2 bridge with no IP addresses, I expect it to be "nearly" silent. By tweaking the value of
group_fwd_maskI am also making sure to relay types of traffic that are not carried by the Linux bridge by default, like CDP or EAP (Source). However I am aware that the bridge could still generate some traffic either by itself or by responding to queries, for instance ARP traffic. Indeed, when I start the bridge it emits some IGMPv3 packets as shown below (36:04:5f:8d:ac:55 is the MAC address automatically assigned to the bridge): Therefore my question is: how can I make the bridge completely silent and passive, and achieve total isolation of the bridge from the other interfaces present on the device. To put it differently, a real network tap should not inject any frames of its own. I understand there are many options but I am not sure which one(s) to use. Some of the ideas I had in mind:
- Use VLANs for the bridge interfaces but I guess this is not going to help when the bridged interfaces are themselves generating unwanted traffic
- Running Network Manager in another namespace
- Use tc or nftables to drop unwanted frames entering the bridge based on the MAC address
BRIDGE=br-phantap if [ "$ACTION" = add -a "$DEVICENAME" == "$BRIDGE" ]; then echo "phantap: Configuring bridge $BRIDGE (hotplug)..." > /dev/kmsg echo 65528 > /sys/class/net/$BRIDGE/bridge/group_fwd_mask ip link set dev $BRIDGE arp off multicast off allmulticast off echo "phantap: Bridge $BRIDGE configured (hotplug)" > /dev/kmsg fi
- Does the
ip link set dev $BRIDGE arp off multicast off allmulticast offstatement above suffice to effectively "mute" the bridge?
- Should the same be done on the slave interfaces as well?
- Would it make sense to add more filtering rules, for example using tc or nftables?
- What about the ip link isolated option?
- Are there any useful options I have overlooked like the bridge.vlan-filtering option?
- Is a bridge even the best way to go here? Could other interface types like macvlan achieve the intended purpose?