traffic analysis
tools
- bettercap to divert traffic
- wireshark for capturing traffic
example
Bettercap (ARP sppofing):
- net.probe on
- net.show (to show network information)
- arp.spoof.targets
- set arp.spoiof.targets 192.168.20.11
- arp.spoof.on
- set net.sniff.verbose true
- set net.sniff.output /home/test/bettercap.traffic.pcap
- net.sniff on
create a transparent bridge
$ ip link add name br0 type bridge
$ ip link set br0 up
$ ip link set eth1 master br0
$ ip link set eth2 master br0monitor or eth1 or br0
kali with brctl
Add entry to /etc/network/interfaces:
auto br0
iface eth0 inet manual
iface eth1 inet manual
iface br0 inet manual
bridge_ports eth0 eth1
bridge_fd 0
bridge_waitfd 0
Also set some options in /etc/sysctl.conf:
net.ipv4.ip_forward=1
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-iptables=0
This might be related to https://wiki.libvirt.org/Net.bridge.bridge-nf-call_and_sysctl.conf.html