Development of l7-filter has moved to the Clear Foundation. These pages are out of date, but will remain as a historical record.

Back to the main page

Last updated 7 Jan 2006

Using l7-filter to analyze traffic without inserting a computer directly in the analyzed flow

You may want to use l7-filter to analyze your network traffic without actually inserting a box with l7-filter into your network (because, for instance, you're not sure it can handle the load, or you think it may be unstable or it might introduce too much latency). This can be done if you echo all the network traffic through a machine on the network to a machine with l7-filter on it:

               \        +---------------+        /
outside network > ------| router/bridge |-------< inside network
               /        +---------------+        \
                        | l7-filter box |

Distilling some posts to our mailing list, here's how you can do it:

The main issue here was that I didn't (couldn't/shouldn't) use the linux box as a router and pass the traffic in-line. What I did was to send a copy of the traffic to one of the Linux box's NICs. I did this by "spanning" a copy of the traffic, using our Cisco 65xx monitor session capabilities. (Presumably, other methods are possible.) I enabled promiscuous mode on the l7-filter box's NIC so that it would not discard packets not destined for it.

In this case, the box has 3 NICs: eth0: unused for the time being, eth1: admin interface, connected to my LAN's switch, eth2: received a copy of the traffic to be analysed, connected to some other LAN's switch.

My idea was to set-up a dummy bridge on the Linux box and bridge eth1 and eth2 while eth0 would become my admin interface (after connecting it to my LAN's switch). I used bridge-utils which is very straightforward once you know what you want to do. Get bridge-utils from or your distribution's package manager if you don't have them already. I found the following documents useful:,, /usr/share/doc/bridge-utils-1.0.4/HOWTO and of course "man brctl".

I used eth0 as my admin interface because I didnt want to assign an IP address to my bridge interface. If you don't have 3 NICs, you can assign an IP address to the bridge interface and use it for administering the box.

The procedure was pretty straightforward:

  1. create bridge interface
  2. add interfaces to bridge interface
  3. enable bridge interface (both HOWTOs mentioned, are very easy to follow)

After that, I was flooded with 'kernel: layer7:' messages and I could see valid results with something like: iptables -t mangle -vL