Howto: Copy/Tee/Clone network traffic using iptables
May 14th, 2008 — bjouHaving to work with Netflow data for my Diploma Thesis I invested quite some time into the following challenge:
Our Routers export Cisco Netflow Data to HOST A, where we do accounting. I want to use HOST B for several Netflow-related tests. The Routers only support one target for their netflow export (as mentioned, this target is HOST A).
Problem: How is it possible to clone the incoming stream of packets at HOST A and forward one copy into HOST A’s userspace (for accounting applications) and the other copy to HOST B’s userspace (for testing purposes)?
The specific challenge is that I do not want a simple FORWARD to HOST B, but a FORWARD of a copy, so that I can work with the data on both machines. This leads to the next problem: Packets arriving at HOST B have the Destination IP address of HOST A in their IP header. We need to rewrite this IP at HOST B so that userspace applications are able to process these packets (which they are not, if the packets are not destined to HOST B’s address).
Note in advance: Despite all efforts this tutorial only works for connectionless udp traffic. A successful 3-way-handshake on HOST A prevents HOST B (despite IP-address rewriting) from accepting the packets in userspace. It just does not work, I appreciate any comments on that. Remember that tee is normally used to clone traffic to another host for passive sniffing and traffic analysis. Note as well, that even if you might want to keep this approach centralized and rewrite the packet’s IP addresses already at HOST A in the POSTROUTING chain, this will not work: Teed packets do not yet show up anywhere within the iptables structures to avoid interfering with the original packet’s table traversal. This is subject to change, though. Thanks to Jan Engelhardt for this information.
So here is how we achieve this goal (tested on Debian Etch stable):
History: There used to be a tee option for an experimental ROUTE target, patchable into iptables with patch-o-matic (pom). This will not work on recent kernels and is deprecated!
This is what we will do on HOST A: Get xtables-addons from http://dev.computergmbh.de:
wget http://dev.computergmbh.de/files/xtables/xtables-combined-1.5.4.1.tar.bz2
This includes a current snapshot of iptables.
Xtables-addons is the proclaimed successor to patch-o-matic(-ng). It
contains extensions that were not accepted in the main Xtables
package.
Xtables-addons is different from patch-o-matic in that you do not have
to patch or recompile either kernel or Xtables(iptables).
Untar, configure, make and make install. Should you run into problems of the kind
warning: #warning You need either CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
change into your kernel source directory and adapt your kernel. Therefore, look for the Networking option, find the Netfilter (formerly know as ipchains) framework entry and enable the appropriate options. I also ran into problems saying
warning: #warning You have CONFIG_IP_NF_CONNTRACK enabled, but CONFIG_IP_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_SECMARK are not (please enable)
so be sure to enable these options as well in the IP: Netfilter Configuration section.
Save your config and build a new kernel. However, this is not topic of this tutorial.
Should there be other errors because of a special addon, deactivate it in the xtables-addons directory using the mconfig file. Be sure not to deactivate the TEE target, as this is the one we need. The installation success of the xtables-addons may largely depend on the kernel that is being used. If it just won’t work for you with your existing kernel, try another one. I had successful setups on 2.6.23.16 and 2.6.18.6
After successful installation fire the command
iptables -t mangle -A PREROUTING -p udp --dport 9996 -j TEE --gateway <IP of HOST B>.
This command will clone all incoming udp-packets to port 9996 in kernelspace and copy them to HOST B, where we will rewrite the IP addresses. Confirm by typing
iptables -t mangle -L
This will list your rules in the mangle table.
Should there be an error about an unknown table/target/chain, then xtables-addons did not build/install successful, probably because of some missing kernel options.
On HOST B: You do not need xtables-addons here, but only some standard iptables version, as you only need the default DNAT target (Your kernel needs to support it however. Therefore, make sure to have the IPv4 connection tracking support (required for NAT) option enabled in the IP: Netfilter Configuration section of your netfilter kernel category).
iptables -t nat -A PREROUTING -p udp -d <IP of HOST A> --dport 9996 -j DNAT --to-destination <IP of HOST B>:<Port>
That should be it. Now test your setup. You will need three hosts: HOST A and B and another HOST C where you will generate (UDP-) packets. Get a packet generator (I used IP-Packet) and download it to HOST C. Read its documentation, create a config file and fire up your packets to HOST A port 9996. But first, make sure you have a listening process on both, HOST A and B running and waiting for your packets on that specific port. The easiest way will be to use netcat in udp-mode:
nc -ulp9996 on HOST A and on HOST B respective with the port used there. Fire your packets and both netcat instances should receive the UDP payload data. If only HOST A gets them, your tee or DNAT is not working. Debug yourself 
That’s what I need to do now, as well, because teeing seems to work perfectly fine from one host, but not from the other… Same settings, though, this is just not fair :’(
September 18th, 2008 at 8:28 am
Great post Bjou, thanks a lot. I hadn’t realised there’d been a replacement released for -j ROUTE –tee, so your post and the pointer to the xtables-addons were much appreciated. I got this working on CentOS-5 after a bit of hacking on xtables-addons to workaround the RedHat-isms in their 2.6.18 kernel.
February 19th, 2009 at 12:08 pm
The cloned packets entering loop and coming again if the host B can not accessible on network. Is there any way change the cloned packet destination IP to host B before the sending.
Regards
March 25th, 2009 at 2:42 pm
>Despite all efforts [...] only works for connectionless udp traffic. A successful 3-way-handshake on HOST A prevents HOST B (despite IP-address rewriting) from accepting the packets in userspace.
Correct, because the B kernel’s TCP engine does not know anything about A’s connections and would drop them. While you could get packet delivery to userspace working, just what would you do if the B userspace tries to send packets back? That would not be good…
IMO, the best solution here is to use libnetfilter_queue to get the packets delivered to userspace.
May 10th, 2009 at 5:01 am
How do you get this to work with centos5?
May 12th, 2009 at 1:07 pm
how did you get this to work on centos first gavin????
July 7th, 2010 at 10:42 am
[...] xtables tee 对于udp无连接状态的没问题 对于tcp就不行了 得用libpcap+raw socket自己些程序了 Categories: Uncategorized Tags: Comments (0) Trackbacks (0) Leave a comment Trackback [...]
November 15th, 2010 at 5:06 am
This is interesting, but you could’ve saved yourself a whole lot of time and effort by simply using the UDP Samplicator to do this, FYI:
http://code.google.com/p/samplicator/
November 20th, 2010 at 7:25 am
[...] http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/ April 5, 2010 5:59 am Dan H Thanks much for helping, but this still doesn’t seem to work (in fact I think it’s one of the many permutations I already tried). I use tcpdump to check. [...]
November 22nd, 2010 at 12:37 am
[...] would like to clone incoming UDP packets onto a different host, I found a way to do it Here but I could not build xtables-addons on centos 5.3 [...]
May 6th, 2011 at 10:38 pm
[...] would like to clone incoming UDP packets onto a different host, I found a way to do it Here but I could not build xtables-addons on centos 5.3 [...]
June 18th, 2011 at 5:05 am
if you need a way to copy (mirror) packets onto another interface, destined to another machine, you can do it purely with iproute2’s tc. i do this for monitoring and decoding tcp/9100 traffic to a certain printer. holler at me if you want a howto on it. prefix @blue-labs.org with my name.
-david
June 30th, 2011 at 10:15 pm
Also ich hätte nichts dagegen gehabt wenn du noch ein paar Bilder hinzugefügt hättest. Aber dies Essenz gefällt mir richtig.
July 2nd, 2011 at 7:10 am
The author has written an informative publish. You possess forced your degree and there’s not significantly to argue about. It can be prefer a common truth that you can not argue with. Thank you for the information
July 2nd, 2011 at 9:13 am
Grützi
Zum Glück mal wieder ein guter Blog.
Ich hoffe, Ihr könnt euren Stand so halten, wäre klasse.
Auch das gefällt mir, Ihr mir sagen, ob das ein öffentliches ist, und wo ich es bekomme?
Alles Gute aus Essen
July 11th, 2011 at 6:36 pm
Very cialis all right and well maintained snare directory. If the positions your cobweb placement can any longer submit your plat to our directory in support of free. setakowa.
August 13th, 2011 at 3:37 am
[...] your kernel is recent enough you could use iptables –tee to forward frames from eth0 to the capture [...]
August 16th, 2011 at 12:37 am
[...] you have a Linux box with the iptables with the TEE target then you can use that to clone [...]
August 22nd, 2011 at 5:54 am
You have done really nice job. There are many people searching about that now they will find enough sources by your tips.
September 9th, 2011 at 1:05 am
While I can appreciate the points in Howto: Copy/Tee/Clone network traffic using iptables | BjOG – Bjou’s Blog, that is!, I am tired and sick of hearing rubbish about the “US economic recovery”. The Federal government borrowed and spent $6.1T during the last four years to obtain a cumulative $700B rise in the country’s GDP. That means we’ve borrowed and spent $8.70 for every $1 of nominal “economic growth” in Gross domestic product. In constant $, Gross domestic product is flat, we have no “economic growth” at all for our $6.1T. In constant dollars, the GDP in 2011 might go back to the 2007 level, if the US economy continues “growing” at the same pace reached in the first three months of 2011. If not, then the Gross Domestic Product will actually be below pre-recession levels. There is no recovery, the numbers prove this.
September 9th, 2011 at 1:24 am
Lo que buscaba…
Te agradezco la pubicación de este articol sobre control gps. Me sirve muchisimo en realizar mi trabajo….
September 9th, 2011 at 1:26 am
Hello! I know this is kinda off topic but I’d figured I’d ask. Would you be interested in trading links or maybe guest authoring a blog article or vice-versa? My site addresses a lot of the same subjects as yours and I feel we could greatly benefit from each other. If you’re interested feel free to shoot me an e-mail. I look forward to hearing from you! Wonderful blog by the way!
September 9th, 2011 at 2:17 am
Belstaff official site for general leisure wear. belstaff is still today the only garment manufacturer producing hight technology jackets. belstaff remain the only New Style Belstaff sale online in UK, Buy Belstaff Jackets,belstaff leather jacket,belstaff bags,belstaff boots and Belstaff Trialmaster dealer. Official Belstaff Outlet.
September 9th, 2011 at 12:19 pm
I enjoy what you guys tend to be up too. Such clever work and reporting! Keep up the good works guys I’ve added you guys to blogroll.
September 17th, 2011 at 8:35 pm
hello there and thank you for your information – I have definitely picked up anything new from right here. I did however expertise several technical points using this web site, as I experienced to reload the website many times previous to I could get it to load properly. I had been wondering if your hosting is OK? Not that I’m complaining, but slow loading instances times will very frequently affect your placement in google and can damage your high-quality score if advertising and marketing with Adwords. Well I am adding this RSS to my email and could look out for a lot more of your respective intriguing content. Ensure that you update this again very soon..
September 19th, 2011 at 3:33 pm
Hi! I know this is somewhat off topic but I was wondering if you knew where I could find a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having trouble finding one? Thanks a lot!
September 19th, 2011 at 9:00 pm
[...] all, I'm trying to add a rule to copy and forward traffic to a separate machine. I'm following http://www.bjou.de/blog/2008/05/howt…sing-iptables/ to do so. I've installed xtables just fine but I'm getting that error message when I try to write [...]
September 28th, 2011 at 9:23 am
Just wish to say your article is as astounding. The clarity in your post is simply cool and i could assume you’re an expert on this subject. Fine with your permission let me to grab your feed to keep updated with forthcoming post. Thanks a million and please keep up the enjoyable work.
October 4th, 2011 at 7:56 am
Wow that was odd. I just wrote an incredibly long comment but after I clicked submit my comment didn’t show up. Grrrr… well I’m not writing all that over again. Anyhow, just wanted to say fantastic blog!
October 11th, 2011 at 8:51 pm
Hello! I just wanted to ask if you ever have any problems with hackers? My last blog (wordpress) was hacked and I ended up losing a few months of hard work due to no data backup. Do you have any methods to protect against hackers?
October 13th, 2011 at 9:17 pm
I loved as much as you will receive carried out right here. The sketch is attractive, your authored material stylish. nonetheless, you command get got an shakiness over that you wish be delivering the following. unwell unquestionably come further formerly again as exactly the same nearly a lot often inside case you shield this hike.
October 17th, 2011 at 6:12 am
lso ich hätte nichts dagegen gehabt wenn du noch ein paar Bilder hinzugefügt hättest. Aber dies Essenz gefällt mir richtig.
October 22nd, 2011 at 12:33 am
This is the first time I visit your blog and I wanted to tell you it was a very beautiful and your articles were well written
October 22nd, 2011 at 5:55 am
I really appreciate this post. I have been looking all over for this! Thank goodness I found it on Google. You’ve made my day! Thanks again.
October 22nd, 2011 at 8:22 pm
uplicate Cleaner, the fastest and most popular free tool for finding duplicate files! … This Duplicate File Cleaner is Freeware! … iTunes, etc); Flexible search parameters; Intelligent Selection Assistant; Search home or networked drives; Search …
October 23rd, 2011 at 6:17 am
HeyWas just browing the internet on this boring sunday evening and came across your intersting post. Thanks for a very good read. I bookmarked your page.
October 31st, 2011 at 8:04 am
Belstaff coatswill show your fashion style as well as warm feeling.With so many brands in the market, people all seeking for a new way to get eye catching. As North Face Jackets attempt to be professional hiking brand, Spyder is a jacket only for skiers, Belstaff is an old brand for riding motorcycle. Belstaff Blouson Jacket were released. And Belstaff motorcycle jacket is one of the most famous styles.
The details please link to this address: http://www.goodbelstaffoutlet.org
November 1st, 2011 at 2:43 am
dancing with the stars results…
[...]these are some listings to websites I always connect to because we think they’re truly worth visiting[...]…
November 1st, 2011 at 2:47 am
strongzz I do agree with all the ideas you’ve presented in your post. They are really convincing and will certainly work. Still, the posts are very short for novices. Could you please extend them a bit from next time? Thanks for the post.
November 1st, 2011 at 2:55 am
http://www.tiffanycooutletusa.com
November 1st, 2011 at 3:16 am
Im a bit confused what exactly is provided in the writing.
November 1st, 2011 at 3:52 am
Haircut Coupons…
[...]right here are a couple of hyper-links to internet pages that we connect to as we feel they will be worthwhile checking out[...]…
November 1st, 2011 at 4:50 am
Perfect work you have done, this site is really cool with excellent info .
November 1st, 2011 at 9:03 am
Gemäß dem Motto” mir egal Senegal scheiß egal ” wird frei Schnauze in den meisten Foren gepostet hoffe das ist an dieser Stelle in keiner Weise so ist
November 4th, 2011 at 12:22 pm
Hi! Would you mind if I share your blog with my facebook group? There’s a lot of people that I think would really appreciate your content. Please let me know. Cheers
November 4th, 2011 at 12:24 pm
Hmm it seems like your site ate my first comment (it was extremely long) so I guess I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog. I too am an aspiring blog writer but I’m still new to the whole thing. Do you have any tips and hints for beginner blog writers? I’d certainly appreciate it.
November 7th, 2011 at 6:37 pm
cool blog, i will come back soon. Do you have a facebook?
November 19th, 2011 at 8:25 am
I really wanted to construct a comment so as to express gratitude to you for these great tricks you are posting on this website. My extended internet investigation has at the end been paid with reliable strategies to exchange with my close friends. I would claim that most of us visitors are undoubtedly fortunate to be in a very good network with many lovely individuals with very helpful methods. I feel extremely blessed to have encountered your entire webpages and look forward to really more amazing moments reading here. Thanks a lot once more for a lot of things.
November 24th, 2011 at 9:15 am
Hey There. I found your blog using msn. This is a very well written article. I’ll be sure to bookmark it and return to read more of your useful information. Thanks for the blog post. I will certainly return. Brockniy Otelia
December 5th, 2011 at 8:08 am
strongzz We are a group of volunteers and starting a new scheme in our community. Your website provided us with valuable information to work on. You’ve done an impressive job and our entire community will be thankful to you.
December 7th, 2011 at 6:22 pm
The on the web puzzle games provide quite a few game titles beneath a simple website. It is specially valuable for the little ones to operate up their brains. Parents can inspire their little little ones to solve the puzzle video games as it confident goes a lengthy way in building their brains and mental capabilities. Relatively than actively playing other violent online games, these game titles will sharpen their minds. Even the adults will get pleasure from actively playing these difficult games.
December 18th, 2011 at 8:38 pm
Hi this looks like a great way to clone traffic. Thanks
December 19th, 2011 at 5:27 am
Good ¨C I should certainly pronounce, impressed with your site. I had no trouble navigating through all tabs as well as related information ended up being truly easy to do to access. I recently found what I hoped for before you know it at all. Quite unusual. Is likely to appreciate it for those who add forums or anything, site theme . a tones way for your client to communicate. Nice task..
December 19th, 2011 at 10:51 am
Thanks , I have just been looking for info about this topic for ages and yours is the best I have discovered till now. But, what about the bottom line? Are you sure about the source?
December 21st, 2011 at 10:46 am
I love the Wally pocket I will be ordering one anyway I would love to win another, thank you for the opportunity
January 1st, 2012 at 5:41 pm
Magnificent goods from you, man. I’ve understand your stuff previous to and you’re just extremely magnificent. I actually like what you’ve acquired here, certainly like what you are stating and the way in which you say it. You make it enjoyable and you still care for to keep it smart. I cant wait to read far more from you. This is really a tremendous web site.
January 5th, 2012 at 8:20 am
xFmlLeiIh ugg boots outlet bXvoXqrGp http://peternorthcott.com
January 5th, 2012 at 8:33 am
There are some interesting points in time in this article but I don’t know if I see all of them center to heart.There is some validity but I will take hold opinion until I look into it further.Good article , thanks and we want more! Added to FeedBurner as well
January 6th, 2012 at 12:03 am
I appreciate your submission, previously it was interesting and compelling. I have found my way here through Google, I’ll go back one more time
January 8th, 2012 at 12:53 pm
Hello, the application appears to be like you’ve got a quite excellent page at this time! I we appreciate you a well written web-site.
January 12th, 2012 at 1:44 am
Hi there. I just required to actually make a nice short observation and also inform you know that I’ve been reading your personal weblog for quite some time. Keep up the super efforts and I am going to be checking back again once more quickly.
January 25th, 2012 at 1:11 am
Thanks for the writeup.. Got me exactly what i needed.. -j TEE
January 29th, 2012 at 7:32 am
Yet another convertxtodvd free quite blog convertxtodvd keygen for Howto: Copy/Tee/Clone network traffic using iptables | BjOG – Bjou’s Blog, that is!
February 1st, 2012 at 5:09 am
Thanks so significantly for another post. I be able to get that kind of data info. friend, and exactly.