From the manual: The TEE target will clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if so desired.
If you don't have a switch with mirror / span ports, you can use iptables to clone the packets to another machine on the same subnet. That monitor box needs to be on the same layer 2 network, and it needs to be reachable by IP address.
PC Engines APU2 +-------------------------------------------------------+ | -------- ------ ------ ------ [---] | | O \Serial/ |NIC1| |NIC2| |NIC3| [---] O O | | ------ ---|-- ---|-- ---|-- | +------------------|--------|--------|------------------+ 10.1.1.5/24 | | | | | / +-|--------|-+ / | Bridge | / | | 10.1.1.6/24 / | \ +-------------+ | \ | Monitor box | WAN LAN +-------------+
sudo apt install bridge-utils tcpdump
allow-hotplug enp1s0 iface enp1s0 inet static address 10.1.1.5 netmask 255.255.255.0 gateway 10.1.1.1
allow-hotplug enp2s0 iface eth1 inet manual allow-hotplug enp3s0 iface eth2 inet manual auto br0 iface br0 inet manual bridge_ports enp2s0 enp3s0 bridge_stp on bridge_maxwait 0
tee
:modprobe br_netfilter iptables -t mangle -F iptables -t mangle -A PREROUTING -i br0 -j TEE --gateway 10.1.1.6
iptables -nvL -t mangle Chain PREROUTING (policy ACCEPT 52M packets, 81G bytes) pkts bytes target prot opt in out source destination 52M 81G TEE all -- br0 * 0.0.0.0/0 0.0.0.0/0 TEE gw:10.1.1.6