I remember some times ago, I had seen a great tool that permitted to clone an interface through the network. By saying that, I mean that you can run a little client on a box where you want to sniff an interface and where all the traffic will run through network to the host where you will effectively sniff it.
This could be usefull for example when the box you want to sniff is an embedded device with only a little space available.
As I was today in need of this tool but can’t finally find it back, I decided to code my own and then to share it… Read the whole article to know more!
So, first of all, you can find the source here. Before compiling, you must define on which target the client (where you want to dump an interface) will run, if it is on a big-endian architecture, just uncomment the #define REMOTE_LE inside ifclone-server.c. Otherwise, comment it.
Then simply build the two binary by typing make inside the directory. If you need to build against another architecture, just use another compiler and build it with -lpcap flag.
Then, launch the client first with the interface that you want to dump, and the network host where you want to dump it. Afterwards, you can launch the server with the tap device name of where all packets will be dumped.
If I have time, I will write a more complete article on what could be done with this, but basically, you can do whatever you want afterwards with the tap device (tcpdump, dsniff, wireshark, …).
TODO:
- Makes the interface cloning bi-directionnal. (meaning you can inject packets remotely)
- Add a synchronization at the start of the programs to be sure they are in sync.
- Test it with much higher bandwidth.
- Run it through valgrind ;]
If you have any other suggestion or question or that you simply find this usefull, drop a comment 🙂
