Bridge sniffing slow bandwidth
metalix2 opened this issue · 3 comments
Hello,
I've been exploring this tool the past couple of days and it's really nice.
I've got it running on a machine that sits infront of my router to modify dhcpack packets with a custom dns server (not configurable in the router). I'm still working on the packet modification part but I was exploring the clients and testing their network.
It seems that the clients can only achieve around 8Mbps bandwidth when the bridge sniffing is enabled. I'm not sure what others have managed to achieve. I've tried editting the etter.conf to disect only port 67. Played around with the buffer. I understand that it is inspecting every packet that comes through but I'd have thought it would be able to handle more than 8Mbps.
I've compiled it locally without any modifications but happy to try any suggestions.
Appreciate any help, Thanks.
Some terminal info:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1129838 nobody 20 0 550912 277532 18696 S 48.5 1.7 2:58.47 ettercap
$ ettercap --config /usr/local/etc/ettercap/etter.conf -T -q -i enp1s0 -B enp2s0
ettercap 0.8.4-rc copyright 2001-2020 Ettercap Development Team
Listening on:
enp1s0 -> 14:B3:1F:21:XX:YY
192.168.1.60/255.255.255.255
fe80::16b3:1fff:fe21:e75c/64
2a00:23c8:7502:ca01:16b3:1fff:fe21:e75c/64
Listening on:
enp2s0 -> 1C:FD:08:7C:XX:YY
fe80::1efd:8ff:fe7c:a820/64
Privileges dropped to EUID 65534 EGID 65534...
34 plugins
1 protocol dissectors
1 ports monitored
28230 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Starting Bridged sniffing...
Text only Interface activated...
Hit 'h' for inline help
Some iperf stats
Between clients on same switch (one of the clients is a raspberry pi 3 (not gigabit))
PS C:\Users\Metal\Downloads\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.1.245
Connecting to host 192.168.1.245, port 5201
[ 4] local 192.168.1.138 port 49943 connected to 192.168.1.245 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 11.6 MBytes 96.9 Mbits/sec
[ 4] 1.01-2.00 sec 11.2 MBytes 94.9 Mbits/sec
[ 4] 2.00-3.01 sec 11.4 MBytes 94.9 Mbits/sec
[ 4] 3.01-4.00 sec 11.2 MBytes 94.6 Mbits/sec
[ 4] 4.00-5.00 sec 11.4 MBytes 95.2 Mbits/sec
[ 4] 5.00-6.01 sec 11.2 MBytes 94.3 Mbits/sec
[ 4] 6.01-7.00 sec 11.4 MBytes 95.5 Mbits/sec
[ 4] 7.00-8.01 sec 11.2 MBytes 94.2 Mbits/sec
[ 4] 8.01-9.00 sec 11.4 MBytes 95.6 Mbits/sec
[ 4] 9.00-10.01 sec 11.4 MBytes 94.9 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 114 MBytes 95.1 Mbits/sec sender
[ 4] 0.00-10.01 sec 113 MBytes 94.9 Mbits/sec receiver
Across the bridge to a wireless device.
iperf Done.
PS C:\Users\Metal\Downloads\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.1.204
Connecting to host 192.168.1.204, port 5201
[ 4] local 192.168.1.138 port 49964 connected to 192.168.1.204 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 1.12 MBytes 9.41 Mbits/sec
[ 4] 1.00-2.00 sec 1.12 MBytes 9.45 Mbits/sec
[ 4] 2.00-3.01 sec 1.12 MBytes 9.35 Mbits/sec
[ 4] 3.01-4.01 sec 1.12 MBytes 9.47 Mbits/sec
[ 4] 4.01-5.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 4] 5.01-6.01 sec 1.00 MBytes 8.43 Mbits/sec
[ 4] 6.01-7.01 sec 1.12 MBytes 9.39 Mbits/sec
[ 4] 7.01-8.01 sec 1.12 MBytes 9.48 Mbits/sec
[ 4] 8.01-9.00 sec 1.12 MBytes 9.50 Mbits/sec
[ 4] 9.00-10.01 sec 1.00 MBytes 8.30 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 11.0 MBytes 9.22 Mbits/sec sender
[ 4] 0.00-10.01 sec 10.8 MBytes 9.04 Mbits/sec receiver
Across same wifi device without bridge
PS C:\Users\Metal\Downloads\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.1.204
Connecting to host 192.168.1.204, port 5201
[ 4] local 192.168.1.138 port 61208 connected to 192.168.1.204 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 7.50 MBytes 62.5 Mbits/sec
[ 4] 1.01-2.00 sec 2.75 MBytes 23.1 Mbits/sec
[ 4] 2.00-3.01 sec 3.38 MBytes 28.3 Mbits/sec
[ 4] 3.01-4.01 sec 2.88 MBytes 23.9 Mbits/sec
[ 4] 4.01-5.01 sec 2.88 MBytes 24.3 Mbits/sec
[ 4] 5.01-6.01 sec 3.00 MBytes 25.0 Mbits/sec
[ 4] 6.01-7.01 sec 3.00 MBytes 25.3 Mbits/sec
[ 4] 7.01-8.00 sec 4.88 MBytes 41.0 Mbits/sec
[ 4] 8.00-9.00 sec 10.5 MBytes 88.2 Mbits/sec
[ 4] 9.00-10.01 sec 10.6 MBytes 88.6 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 51.4 MBytes 43.1 Mbits/sec sender
[ 4] 0.00-10.01 sec 51.3 MBytes 43.0 Mbits/sec receiver
iperf Done.
Apologies, turned out that one of my interfaces was stuck on 10BASE-T..
Now with that resolved, I did some more testing without the wifi. And it seems that the bridge throughput is CPU bound as one would expect. It's a lot of packets...
HTOP shows the single cpu being maxed out.
The iperf3 scores
-----------------------------------------------------------
Server listening on 5201 (test #6)
-----------------------------------------------------------
Accepted connection from 192.168.1.138, port 61624
[ 5] local 192.168.1.245 port 5201 connected to 192.168.1.138 port 61625
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 4.75 MBytes 39.8 Mbits/sec
[ 5] 1.00-2.00 sec 5.00 MBytes 41.9 Mbits/sec
[ 5] 2.00-3.00 sec 4.88 MBytes 40.9 Mbits/sec
[ 5] 3.00-4.00 sec 5.00 MBytes 41.9 Mbits/sec
[ 5] 4.00-5.00 sec 5.00 MBytes 41.9 Mbits/sec
[ 5] 5.00-6.00 sec 5.00 MBytes 41.9 Mbits/sec
[ 5] 6.00-7.00 sec 5.00 MBytes 41.9 Mbits/sec
[ 5] 7.00-8.00 sec 4.88 MBytes 40.9 Mbits/sec
[ 5] 8.00-9.00 sec 4.88 MBytes 40.9 Mbits/sec
[ 5] 9.00-10.00 sec 5.00 MBytes 41.9 Mbits/sec
[ 5] 10.00-10.04 sec 256 KBytes 58.0 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.04 sec 49.6 MBytes 41.5 Mbits/sec receiver
With the default br0 set up i get the expected throughput 100Mbps(Raspberry pi 3)
-----------------------------------------------------------
Server listening on 5201 (test #1)
-----------------------------------------------------------
Accepted connection from 192.168.1.138, port 61951
[ 5] local 192.168.1.245 port 5201 connected to 192.168.1.138 port 61952
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 11.2 MBytes 94.3 Mbits/sec
[ 5] 1.00-2.00 sec 11.4 MBytes 95.4 Mbits/sec
[ 5] 2.00-3.00 sec 11.2 MBytes 94.4 Mbits/sec
[ 5] 3.00-4.00 sec 11.4 MBytes 95.4 Mbits/sec
[ 5] 4.00-5.00 sec 11.2 MBytes 94.4 Mbits/sec
[ 5] 5.00-6.00 sec 11.4 MBytes 95.4 Mbits/sec
[ 5] 6.00-7.00 sec 11.2 MBytes 94.4 Mbits/sec
[ 5] 7.00-8.00 sec 11.4 MBytes 95.4 Mbits/sec
[ 5] 8.00-9.00 sec 11.1 MBytes 93.4 Mbits/sec
[ 5] 9.00-10.00 sec 11.2 MBytes 94.3 Mbits/sec
[ 5] 10.00-10.01 sec 128 KBytes 89.8 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.01 sec 113 MBytes 94.7 Mbits/sec receiver
-----------------------------------------------------------
Server listening on 5201 (test #2)
-----------------------------------------------------------
Perhaps useful information to some.
I would close this issue but I am curious if theres a way to optimise the sniffing while in bridge mode?
It's definitely worth sharing the miracle as such basic things are often just taken for granted and overlooked. Thanks for sharing your finding. Closing the case then.