Suppose you have a PC of which of which you like to know what traffic it generates. Or suppose you have a router on which you like to know what traffic passes by. Well, “bridge” will create you a transparent connection between ethernet cards that passes all traffic and on which you can start sniffing what passes by. You could use an old fashion hub that replicates all traffic to all of its ports, but nowadays that is almost inexistent, almost any cheap hub is in fact a switch that only replicates traffic to the port it is needed. In that case, put a computer with TRK in between your connection.
What you need
is a computer with at least 2 network cards and the latest TRK to boot from.
-Once the network cards are connected on both sides (on on the PC, one on the network), run ‘bridge up’. This will setup a bridge and traffic will transparently pass from one side to the other. One note here which is quite important: make sure only 1 network card has its own ip-address, let the other one without (if they both have one, do an ‘ifconfig eth1 down’ f.i.). I will explain this later.
-Now, start sniffing with tcpdump. Run it like this: ‘tcpdump -i eth0’ In this way, you see ALL traffic headers that pass by. If you need to filter something specific, use “grep” to get it out. F.i. you need to see all http traffic going to 10.0.1.20, run this: ‘tcpdump -i eth0 | grep 10.0.1.20 | grep http’
About the single ip-address: I have noticed that if you connect two network cards to the same network and let them both get an ip-address through dhcp (which will subsequently be addresses in the same network range) and afterwards connect one to a pc to start sniffing, tcpdump will go berzerk and no output will be shown but your TRK will give the impression of hanging and will not respond to a ctrl+c signal very quickly. After about 10 seconds, it will stop. But you will have noticed that sniffing doesn ‘t work. Well, if one card doesn ‘t have an address, this problem doesn ‘t occur. So leave at least one nic down. You can even leave both down, you don ‘t need an ip-address to sniff the network, “bridge” will bring up both cards in promiscuous mode and make a bridge interface “br0”.
To bring the bridge down, just type ‘bridge down’
Also read the online manpage on this: