cloning traffic with iptables

[dninja at gmail.com (Robin Wood)]

2009/1/6 Mike Patterson <mike.patterson at unb.ca>:
> Robin Wood wrote on 1/6/09 4:23 AM:
> > 2009/1/6 Don Berry <don_berry at comcast.net>:
> > > Do it upstream on the network interfaces. Use the switch that the interface
> > > is connected to and do port mirroring or cloning.
> >
> > I'm designing a device which can be dropped onto any point of a
> > network to sniff traffic so need the device itself to do it.
>
> Am I being simple, or is what you want just a bridge?  I did this with a
> FreeBSD box, just bridged em0 to em1 and sniffed on the bridge device.
> No reason you shouldn't be able to do something similar with iptables,
> no?  (Of course, I hate iptables, which is why it was a BSD box and not
> a Linux box, but I digress.)
I have the bridge in place between eth0 and eth1 but what I want to do
is to send a copy of all the traffic that goes over the bridge via
wireless to a second machine which can then analyse it.

I've managed to get something working using daemonlogger but I think
the encapsulation is messed up as sniffing the traffic I either get a
load of deauth messages coming from it or a load of LLC and XID
messages.

Robin