Port-Mirroring / Span Port / Monitor Port with iptables on NETGEAR WGR614L

I have a NETGEAR WGR614L and I needed to attach a tcp monitor pc (tcpdump) to one of its LAN ports. The fact the the router is a switch makes that not so trivial a task. 

The switch only forwards packets to the port where the destinaion MAC address is known.  As such, each connected network device only receives the packets which are destined for that specific device.

Expensive switches provide a functionality which is called “Port-Mirroring," “Span Port,” or “Monitor Port."  This feature copies all packets from another port to that monitor port.  Sadly, our WGR614L doesn't have that functionality built-in.

After a day of forum searching and Googling, all I could find was the question on how to do this and the answer that it’s impossible.

However, I asked the question in this forum and received a brilliant answer (thanks again to ciscostu).

The solution lies in iptables!

There is an experimental target (ROUTE) which offers an option (--tee) that behaves like the good old linux “tee” command.  It copies a packet to a target ip address and then goes on with the normal behaviour (routing it to it’s normal target.)

So, how are we going to use this for our port-mirroring?

Imagine that our router has the ip address, and our monitor pc has the ip address Then the following two lines will do the trick:

iptables -A PREROUTING -t mangle -j ROUTE --gw --tee

iptables -A POSTROUTING -t mangle -j ROUTE --gw --tee

This will send a copy of all packets to the monitor pc with the ip

On the monitor, we simply start tcpdump with our desired options and we can monitor all traffic…

In my example, I’m interested in all traffic which has to do with the ip so I call:

tcpdump (…) host

Where (…) are some more options for logging andother things.

I hope this little guide helps many many people and i’d appreciate some comments :)

Gr33tz Goddchen

Quick Links

Other WGR614L Resources and Tutorials

See All Downloads

Community Store




Etherninja's picture
I've been looking for a

I've been looking for a solution to monitor my home network, and this looks like a very viable solution provided you have a router with iptables? I've been loving the dd-wrt firmware which does have iptables, so I will give this a try and let you know how it goes. Up until now I've been using a good old school hub in between my internet connection and the rest of my network, with a monitoring pc attached to the hub. It works pretty well, but doesn't capture all router traffic. Which doesn't matter too much because I'm mainly concerned about watching what enters and leaves my house. I'm hoping though that eventually dd-wrt firmware will include support for a port-mirroring/monitoring port. Thanks for the info!

dtabone's picture
Thanks mate.. it works well

Thanks mate.. it works well on my wrt54gl router with DDWRT v23SP2. I've got my router logging to a debian machine with ntop running on a VM.. lovely. In fact it is more accurate for bandwidth analysis than enabling the default rflow (netflow) Needless to say I ran the commands from the bash command line.. once again.. thank you - very useful post.

scott's picture
That's great - now how to

That's great - now how to turn it off without a router reboot?

pm's picture
is it possible to specify

is it possible to specify only for one interface of the router???

dt1375's picture
SWE (smoothwall express) is

SWE (smoothwall express) is using iptables 1.4.4
Reply on the string
iptables -A PREROUTING -t mangle -j ROUTE --gw --tee

iptables v1.4.4: unknown option `--gw'

Any suggestions?

evejou's picture
Oh, very helpful, even

Oh, very helpful, even several years later! Thanks for sharing.

Abner Ortiz
Abner Ortiz's picture
the gw command does not work.

the gw command does not work.
iptables v1.4.12: unknown option "--gw"
Try `iptables -h' or 'iptables --help' for more information.