Port Mirroring in Linux - Networking

This is a discussion on Port Mirroring in Linux - Networking ; Hi I have to implement port mirroring feature in linux.ie All inbound- outbound packets of a particular interface are mirrored to another interface. I need to implement it in both the bridging and routing paths.Is there any utility in linux ...

+ Reply to Thread
Results 1 to 20 of 20

Thread: Port Mirroring in Linux

  1. Port Mirroring in Linux

    Hi

    I have to implement port mirroring feature in linux.ie All inbound-
    outbound packets of a particular interface are mirrored to another
    interface. I need to implement it in both the bridging and routing
    paths.Is there any utility in linux which helps to do this?

    Please help!


    Thanks,
    Jeniffer.


  2. Re: Port Mirroring in Linux

    On Tue, 30 Oct 2007 09:23:52 +0000, jeniffer rearranged some electrons to
    say:

    > Hi
    >
    > I have to implement port mirroring feature in linux.ie All inbound-
    > outbound packets of a particular interface are mirrored to another
    > interface. I need to implement it in both the bridging and routing
    > paths.Is there any utility in linux which helps to do this?
    >
    > Please help!
    >
    >
    > Thanks,
    > Jeniffer.


    Are you trying to set up a bridge?
    http://www.tldp.org/HOWTO/Bridge/index.html

    PS Good luck on your homework....

  3. Re: Port Mirroring in Linux

    On Oct 30, 2:50 pm, david wrote:
    > On Tue, 30 Oct 2007 09:23:52 +0000, jeniffer rearranged some electrons to
    > say:
    >
    > > Hi

    >
    > > I have to implement port mirroring feature in linux.ie All inbound-
    > > outbound packets of a particular interface are mirrored to another
    > > interface. I need to implement it in both the bridging and routing
    > > paths.Is there any utility in linux which helps to do this?

    >
    > > Please help!

    >
    > > Thanks,
    > > Jeniffer.

    >
    > Are you trying to set up a bridge?http://www.tldp.org/HOWTO/Bridge/index.html
    >
    > PS Good luck on your homework....


    thanks for the reply but No, I dont have to set up a bridge.A bridge
    looks at its table's entry and says that packets with the mac 'Mi'
    must be forwarding to interface X.Bridge does flooding,learning and
    forwarding.
    I need a behavior where I say that all packets coming and going on an
    interface X must be given to another interface Y.





  4. Re: Port Mirroring in Linux

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    jeniffer wrote:

    > thanks for the reply but No, I dont have to set up a bridge.A bridge
    > looks at its table's entry and says that packets with the mac 'Mi'
    > must be forwarding to interface X.Bridge does flooding,learning and
    > forwarding.
    > I need a behavior where I say that all packets coming and going on an
    > interface X must be given to another interface Y.


    You mean having something like an interface "eth1" which has all the
    traffic "eth0" has. So if you wanted to sniff activity on "eth0", you can
    simply sniff on "eth1", right...

    - --
    Ashish Shukla
    http://wahjava.wordpress.com/
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQFHJynoHy+EEHYuXnQRAkZGAKCbZ3spzOVrNFzipNn+Sl ieWrbvVACgrvQM
    3tmI9T5iZgcIMG6Lp6/1Zg8=
    =/rJJ
    -----END PGP SIGNATURE-----

  5. Re: Port Mirroring in Linux

    On Oct 30, 5:07 am, jeniffer wrote:

    > thanks for the reply but No, I dont have to set up a bridge.A bridge
    > looks at its table's entry and says that packets with the mac 'Mi'
    > must be forwarding to interface X.Bridge does flooding,learning and
    > forwarding.


    Right.

    > I need a behavior where I say that all packets coming and going on an
    > interface X must be given to another interface Y.


    That's what a bridge does. As you said above, it looks at its table's
    entry and decides which interfaces to forward a packet to.

    You are saying:

    1) A bridge takes a packet and forwards it onto the appropriate
    interfaces.

    2) I want to take packets and forward them to appropriate interfaces.

    3) I don't want a bridge.

    You do realize that bridges frequently send the same packet to more
    than one destination. Consider the obvious case where the bridge has
    never seen a packet with that destination MAC before. Consider an ARP
    request.

    What you want is what bridges do.

    DS


  6. Re: Port Mirroring in Linux

    Hello,

    David Schwartz a écrit :
    > On Oct 30, 5:07 am, jeniffer wrote:
    >
    >>I need a behavior where I say that all packets coming and going on an
    >>interface X must be given to another interface Y.

    >
    > That's what a bridge does. As you said above, it looks at its table's
    > entry and decides which interfaces to forward a packet to.
    >
    > You are saying:
    >
    > 1) A bridge takes a packet and forwards it onto the appropriate
    > interfaces.
    >
    > 2) I want to take packets and forward them to appropriate interfaces.


    But I'm afraid that the OP and a bridge have a slightly different idea
    of what "appropriate interfaces" is. To a bridge, it is interfaces that
    have seen incoming traffic from the destination MAC address, or all
    interfaces if the destination is unknown or broadcast (I skip the
    multicast case). To the OP, it is the same *plus* the mirroring interface.

    > 3) I don't want a bridge.
    >
    > You do realize that bridges frequently send the same packet to more
    > than one destination. Consider the obvious case where the bridge has
    > never seen a packet with that destination MAC before. Consider an ARP
    > request.
    >
    > What you want is what bridges do.


    I do not think that the vanilla Linux bridge code can do what the OP
    wants. I guess it could if learning could be disabled, so the bridge
    floods all traffic on all interfaces.

  7. Re: Port Mirroring in Linux

    On Oct 31, 2:41 am, Pascal Hambourg
    wrote:

    > But I'm afraid that the OP and a bridge have a slightly different idea
    > of what "appropriate interfaces" is. To a bridge, it is interfaces that
    > have seen incoming traffic from the destination MAC address, or all
    > interfaces if the destination is unknown or broadcast (I skip the
    > multicast case). To the OP, it is the same *plus* the mirroring interface.


    A bridge does whatever it's configured to do.

    > > What you want is what bridges do.


    > I do not think that the vanilla Linux bridge code can do what the OP
    > wants. I guess it could if learning could be disabled, so the bridge
    > floods all traffic on all interfaces.


    Simply disabling learning will do exactly what the OP wants.

    DS


  8. Re: Port Mirroring in Linux

    David Schwartz a écrit :
    >
    > A bridge does whatever it's configured to do.


    Within the limits of its configuration options and what it is able to do.

    > Simply disabling learning will do exactly what the OP wants.


    Not exactly. As far as I can see from a quick test, setting the bridge
    ageing time to zero (brctl setageingtime 0) seems to disable
    learning, but the bridge still knows its own MAC addresses, so traffic
    received on a port destined to one of these MAC address won't be
    forwarded to other ports.

  9. Re: Port Mirroring in Linux

    jeniffer wrote:
    > I have to implement port mirroring feature in linux.ie All inbound-
    > outbound packets of a particular interface are mirrored to another
    > interface. I need to implement it in both the bridging and routing
    > paths.Is there any utility in linux which helps to do this?


    A bit of coding around libpcap to sniff traffic on one or more
    interfaces and then just dump them out the desired interface sounds
    like it would do the trick. If the mirror interface is also being
    sniffed it might require a bit more logic to avoid loops.

    rick jones
    --
    web2.0 n, the dot.com reunion tour...
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  10. Re: Port Mirroring in Linux

    Rick Jones wrote:

    > jeniffer wrote:
    >> I have to implement port mirroring feature in linux.ie All inbound-
    >> outbound packets of a particular interface are mirrored to another
    >> interface. I need to implement it in both the bridging and routing
    >> paths.Is there any utility in linux which helps to do this?

    >
    > A bit of coding around libpcap to sniff traffic on one or more
    > interfaces and then just dump them out the desired interface sounds
    > like it would do the trick. If the mirror interface is also being
    > sniffed it might require a bit more logic to avoid loops.


    Something like tcpbridge?

  11. Re: Port Mirroring in Linux

    Pascal Hambourg wrote:

    > David Schwartz a écrit :
    >>
    >> A bridge does whatever it's configured to do.

    >
    > Within the limits of its configuration options and what it is able to do.
    >
    >> Simply disabling learning will do exactly what the OP wants.

    >
    > Not exactly. As far as I can see from a quick test, setting the bridge
    > ageing time to zero (brctl setageingtime 0) seems to disable
    > learning, but the bridge still knows its own MAC addresses, so traffic
    > received on a port destined to one of these MAC address won't be
    > forwarded to other ports.


    True but you could do thomething like this:

    ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
    00:01:12:12:12:12 --dnat-target ACCEPT

  12. Re: Port Mirroring in Linux

    Markus Rehbach a écrit :
    > Pascal Hambourg wrote:
    >
    >>As far as I can see from a quick test, setting the bridge
    >>ageing time to zero (brctl setageingtime 0) seems to disable
    >>learning, but the bridge still knows its own MAC addresses, so traffic
    >>received on a port destined to one of these MAC address won't be
    >>forwarded to other ports.

    >
    > True but you could do thomething like this:
    >
    > ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
    > 00:01:12:12:12:12 --dnat-target ACCEPT


    How is this supposed to help ?

  13. Re: Port Mirroring in Linux

    Markus Rehbach wrote:
    > Rick Jones wrote:
    > > A bit of coding around libpcap to sniff traffic on one or more
    > > interfaces and then just dump them out the desired interface sounds
    > > like it would do the trick. If the mirror interface is also being
    > > sniffed it might require a bit more logic to avoid loops.


    > Something like tcpbridge?


    Perhaps, I've never seen tcpbridge.

    Actually, I'm surprised that the Linux bridging code doesn't have
    support for designating a mirror interface. I'd have thought it was
    there already. Although I suspect the argument might be that if you
    want to see traffic just sniff the interfaces making-up the bridge.

    rick jones
    --
    a wide gulf separates "what if" from "if only"
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  14. Re: Port Mirroring in Linux

    Pascal Hambourg wrote:

    > Markus Rehbach a écrit :
    >> Pascal Hambourg wrote:
    >>
    >>>As far as I can see from a quick test, setting the bridge
    >>>ageing time to zero (brctl setageingtime 0) seems to disable
    >>>learning, but the bridge still knows its own MAC addresses, so traffic
    >>>received on a port destined to one of these MAC address won't be
    >>>forwarded to other ports.

    >>
    >> True but you could do thomething like this:
    >>
    >> ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
    >> 00:01:12:12:12:12 --dnat-target ACCEPT

    >
    > How is this supposed to help ?


    That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
    will be the MAC of other NIC), similar to the DNAT in iptables. But won't this
    kill the communication, I mean instead of letting packets go to their preset
    destination, this command will alter the destination. So this won't help.

    HTH
    --
    Ashish Shukla
    http://wahjava.wordpress.com/

  15. Re: Port Mirroring in Linux

    On Oct 31, 10:05 am, Pascal Hambourg
    wrote:

    > Not exactly. As far as I can see from a quick test, setting the bridge
    > ageing time to zero (brctl setageingtime 0) seems to disable
    > learning, but the bridge still knows its own MAC addresses, so traffic
    > received on a port destined to one of these MAC address won't be
    > forwarded to other ports.


    There is no reason a bridge should even have a MAC address. You can't
    send packets to a bridge, only to a device connected to it.

    DS


  16. Re: Port Mirroring in Linux

    David Schwartz a écrit :
    >
    > There is no reason a bridge should even have a MAC address. You can't
    > send packets to a bridge, only to a device connected to it.


    Wireless access points and ethernet switches are bridges and have a MAC
    address. Please keep in mind that we're in a Linux networking group, so
    we're not talking about the pure bridge theory but about the Linux
    implementation of a bridge. A Linux bridge, which is considered as an
    ethernet interface which can send and receive packets, has at least one
    MAC address inherited from the first bridged interface.

  17. Re: Port Mirroring in Linux

    Ashish a écrit :
    > Pascal Hambourg wrote:
    >
    >>>>As far as I can see from a quick test, setting the bridge
    >>>>ageing time to zero (brctl setageingtime 0) seems to disable
    >>>>learning, but the bridge still knows its own MAC addresses, so traffic
    >>>>received on a port destined to one of these MAC address won't be
    >>>>forwarded to other ports.
    >>>
    >>>True but you could do thomething like this:
    >>>
    >>>ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
    >>>00:01:12:12:12:12 --dnat-target ACCEPT

    >>
    >>How is this supposed to help ?

    >
    > That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
    > will be the MAC of other NIC), similar to the DNAT in iptables.


    But why redirect only IPv4 traffic ? And what is that other NIC you're
    talking about ?

    > But won't this
    > kill the communication, I mean instead of letting packets go to their preset
    > destination, this command will alter the destination. So this won't help.


    I'm afraid so. Unless it is set in promiscuous mode, the bridge
    interface will ignore packets originally addressed to it if their
    destination MAC address is altered. Besides, the original destination
    MAC address is lost although one willing to do port mirroring may
    considered it a valuable information.

  18. Re: Port Mirroring in Linux

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Pascal Hambourg wrote:
    [...]
    >>
    >> That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
    >> will be the MAC of other NIC), similar to the DNAT in iptables.

    >
    > But why redirect only IPv4 traffic ? And what is that other NIC you're
    > talking about ?


    Well Markus posted this, not me. I just interpreted that. The other NIC is the
    one you wanted to redirect your traffic to or simply the sniffer interface.

    >> But won't this
    >> kill the communication, I mean instead of letting packets go to their preset
    >> destination, this command will alter the destination. So this won't help.

    >
    > I'm afraid so. Unless it is set in promiscuous mode, the bridge
    > interface will ignore packets originally addressed to it if their
    > destination MAC address is altered. Besides, the original destination
    > MAC address is lost although one willing to do port mirroring may
    > considered it a valuable information.


    True, ethernet interface needs to be set in promiscuous mode in order to become
    a good sniffer interface.
    - --
    Ashish Shukla
    http://wahjava.wordpress.com/
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQFHKW2jHy+EEHYuXnQRAqTYAJ4jmfzFEhW8YbRug+AVrH 76+n8zeACgh0Qe
    X05pDFdhK9zs7N4kbG/tl0s=
    =ULzW
    -----END PGP SIGNATURE-----

  19. Re: Port Mirroring in Linux

    Ashish a écrit :
    >
    >>>That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
    >>>will be the MAC of other NIC), similar to the DNAT in iptables.

    >>
    >>But why redirect only IPv4 traffic ? And what is that other NIC you're
    >>talking about ?

    >
    > Well Markus posted this, not me. I just interpreted that.


    Oops, sorry for the mistake.

    > The other NIC is the
    > one you wanted to redirect your traffic to or simply the sniffer interface.


    Isn't a sniffer interface supposed to be in promiscuous mode, so this is
    not required ?

  20. Re: Port Mirroring in Linux

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ,--- Pascal Hambourg writes:
    | Ashish a écrit :
    ||

    [...]

    ||| But why redirect only IPv4 traffic ? And what is that other NIC you're
    ||| talking about ?
    ||
    || Well Markus posted this, not me. I just interpreted that.

    | Oops, sorry for the mistake.

    np.

    || The other NIC is the
    || one you wanted to redirect your traffic to or simply the sniffer interface.

    | Isn't a sniffer interface supposed to be in promiscuous mode, so this
    | is not required ?

    If you read my last post, you'll notice that I've already mentioned
    that in the end.
    - --
    Ashish Shukla आशीष शुक्ल
    http://wahjava.wordpress.com/
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQFHKdgEHy+EEHYuXnQRAj4SAKClkV2NFdifKLfVYO9EyT lNEmY8vgCfWh8f
    m9ZL4dIq0ubPU5G2WV+9wXw=
    =p9+t
    -----END PGP SIGNATURE-----

+ Reply to Thread