Copying packets from an interface to another

I have a Linux system (let it be A) with 2 ethernet cards, namely eth0 and eth1 which are attached to two totally unrelated LANs.

Basically eth0 is used for normal application traffic and eth1 is used only for debugging purposes. Debugging means that eth1 is linked using a cross cable to another linux box (let it be B) which runs Wireshark. I want Wireshark to be able to process application packets travelling on A's eth0.

Basically I need to copy travelling packets from eth0 interface to interface eth1 so that Wireshark on box B can sniff them (for some reasons I don't have physical access to LAN eth0). I could also need to specify which packets to copy from eth0 to eth1 according to some rule (based only on TCP/IP fields by the way).

Also note that A's eth0 don't need to be put in promiscuous mode because I only want to copy a subset of packets which have A as destination

Is there a way to achieve this using iptables alone? Or do i need to write an application to make this work? What should I do to "copy" the packets?

Solution 1:

If your kernel is recent enough you could use iptables --tee to forward frames from eth0 to the capture machine.

Solution 2:

You can use tc mirred action. For example: For incoming traffic:

tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: \
   protocol all prio 2 u32 \
   match u32 0 0 flowid 1:1 \
   action mirred egress mirror dev eth1

For outgoing traffic:

tc qdisc replace dev eth0 parent root handle 10: prio
tc filter add dev eth0 parent 10: \
   protocol all prio 2 u32 \
   match u32 0 0 flowid 10:1 \
   action mirred egress mirror dev eth1

Solution 3:

Search the net for tcpbridge, which is exactly what does the Job. It can be used to talk to virtual machines as well.