I think I found another option for implementing port mirroring without a switch.
The solution lies in iptables!
There is an experimental target (ROUTE) which offers an option (--tee) that behaves like the good old linux “tee” command. It copies a packet to a target ip address and then goes on with the normal behaviour (routing it to it’s normal target.)
So, how are we going to use this for our port-mirroring?
Imagine that our router has the ip address 192.168.1.1, and our monitor pc has the ip address 192.168.1.254. Then the following two lines will do the trick:
iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.254 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.254 --tee
This will send a copy of all packets to the monitor pc with the ip 192.168.1.254.
On the monitor, we simply start tcpdump with our desired options and we can monitor all traffic…
In my example, I’m interested in all traffic which has to do with the ip 192.168.1.3 so I call:
tcpdump (some options here) host 192.168.1.3
The “-gw” argument should be “–gw” (notice it has two hyphens, not one). The “-tee” argument should also have two hypens, like so: “–tee”.http://blog.goddchen.de/2009/03/port-mirroring-span-port-monitor-port-with-iptables/
The rest of the arguments are correct; “-A”, “-t” and “-j” should have only one hyphen.
The shell general rule of thumb is when a command line argument option has more than one letter to it, it gets two hyphens.
Note: I believe this is accomplished on modified routers running DD-WRT, Open-WRT or the like.