This article is about using port-mirroring with Linux iptables for purposes such as Sniffing, IDS Monitoring and so on.
For this article, I'm going to show you how to capture DNS requests made by an application on an Android phone. Sounds difficult, but with sniffing, you can finish this task in less than 5 minutes!
First, you need to get on the Linux box (via Telnet or whatever) doing the routing. (Well, I'm technically on a WRT160NL running DD-WRT, so it is a Linux box)
We'll need to enter the following commands:
iptables -t mangle -A PREROUTING -s 172.16.1.139 -j ROUTE --tee --gw 172.16.1.150
In this case, 172.16.1.139 is the phone's IP address, while 172.16.1.150 is the IP of the system doing the sniffing. The above command redirects traffic coming FROM the phone.
In iptables, a packet goes through the following tables:
1) Filter
2) NAT
3) Mangle
Filter is for filtering of unwanted packets, NAT is for address translations, and Mangle is for final modification of packets (for things like QoS or mirroring).
Visit here to have a clearer idea of how the packet is routed.
The ROUTE target is an experimental target that performs routing in the mangle table. The -tee parameter specifies to MIRROR a packet, and the -gw parameter specifies the gateway to send it through.
Here is the documentation for the ROUTE target
Next, if we're interested in the return traffic, we can also enter the following commands:
iptables -t mangle -A POSTROUTING -d 172.16.1.139 -j ROUTE --tee --gw 172.16.1.150
If we are interested in ALL traffic, we can omit the -d and -s parameters.
Now we can fire up Wireshark and do some sniffing. First, we'll need to select the right interface for sniffing. Mine is quite obvious:
Now, as we are interested in DNS traffic in this scenario, we'll use the filter:
ip.addr == 172.16.1.139 && udp.port == 53
Go generate the request in your phone. Lo and behold, as if black magic, you now know the DNS names your phone applications are connecting to.
From here you can do what you want. Let's say you want to find out what port the phone is accessing and what type of traffic goes through. No problem, just scroll down and look for the line where the answer comes back in (usually one line after the request).
We'll then use the following filters:
ip.addr == 1.2.3.4 && tcp.flags.syn == 1
Of course, replace 1.2.3.4 with the response address. You'll get something like this:
In our case, it's port 8300 we're looking for!
Of course, this is not where we stop. Remember, the extra rule takes up extra CPU cycles. When you're done, remember to remove everything using:
iptables -t mangle -D PREROUTING -s 172.16.1.139 -j ROUTE --tee --gw 172.16.1.150
iptables -t mangle -D POSTROUTING -d 172.16.1.139 -j ROUTE --tee --gw 172.16.1.150