On Tue, 30 Oct 2007 09:23:52 +0000, jeniffer rearranged some electrons to
say:

> Hi
>
> I have to implement port mirroring feature in linux.ie All inbound-
> outbound packets of a particular interface are mirrored to another
> interface. I need to implement it in both the bridging and routing
> paths.Is there any utility in linux which helps to do this?
>
> Please help!
>
>
> Thanks,
> Jeniffer.

Are you trying to set up a bridge?
http://www.tldp.org/HOWTO/Bridge/index.html

PS Good luck on your homework....

On Oct 30, 2:50 pm, david wrote:
> On Tue, 30 Oct 2007 09:23:52 +0000, jeniffer rearranged some electrons to
> say:
>
> > Hi
>
> > I have to implement port mirroring feature in linux.ie All inbound-
> > outbound packets of a particular interface are mirrored to another
> > interface. I need to implement it in both the bridging and routing
> > paths.Is there any utility in linux which helps to do this?
>
> > Please help!
>
> > Thanks,
> > Jeniffer.
>
> Are you trying to set up a bridge?http://www.tldp.org/HOWTO/Bridge/index.html
>
> PS Good luck on your homework....

thanks for the reply but No, I dont have to set up a bridge.A bridge
looks at its table's entry and says that packets with the mac 'Mi'
must be forwarding to interface X.Bridge does flooding,learning and
forwarding.
I need a behavior where I say that all packets coming and going on an
interface X must be given to another interface Y.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

jeniffer wrote:

> thanks for the reply but No, I dont have to set up a bridge.A bridge
> looks at its table's entry and says that packets with the mac 'Mi'
> must be forwarding to interface X.Bridge does flooding,learning and
> forwarding.
> I need a behavior where I say that all packets coming and going on an
> interface X must be given to another interface Y.

You mean having something like an interface "eth1" which has all the
traffic "eth0" has. So if you wanted to sniff activity on "eth0", you can
simply sniff on "eth1", right...

- --
Ashish Shukla
http://wahjava.wordpress.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHJynoHy+EEHYuXnQRAkZGAKCbZ3spzOVrNFzipNn+Sl ieWrbvVACgrvQM
3tmI9T5iZgcIMG6Lp6/1Zg8=
=/rJJ
-----END PGP SIGNATURE-----

On Oct 30, 5:07 am, jeniffer wrote:

> thanks for the reply but No, I dont have to set up a bridge.A bridge
> looks at its table's entry and says that packets with the mac 'Mi'
> must be forwarding to interface X.Bridge does flooding,learning and
> forwarding.

Right.

> I need a behavior where I say that all packets coming and going on an
> interface X must be given to another interface Y.

That's what a bridge does. As you said above, it looks at its table's
entry and decides which interfaces to forward a packet to.

You are saying:

1) A bridge takes a packet and forwards it onto the appropriate
interfaces.

2) I want to take packets and forward them to appropriate interfaces.

3) I don't want a bridge.

You do realize that bridges frequently send the same packet to more
than one destination. Consider the obvious case where the bridge has
never seen a packet with that destination MAC before. Consider an ARP
request.

What you want is what bridges do.

DS

Hello,

David Schwartz a écrit :
> On Oct 30, 5:07 am, jeniffer wrote:
>
>>I need a behavior where I say that all packets coming and going on an
>>interface X must be given to another interface Y.
>
> That's what a bridge does. As you said above, it looks at its table's
> entry and decides which interfaces to forward a packet to.
>
> You are saying:
>
> 1) A bridge takes a packet and forwards it onto the appropriate
> interfaces.
>
> 2) I want to take packets and forward them to appropriate interfaces.

But I'm afraid that the OP and a bridge have a slightly different idea
of what "appropriate interfaces" is. To a bridge, it is interfaces that
have seen incoming traffic from the destination MAC address, or all
interfaces if the destination is unknown or broadcast (I skip the
multicast case). To the OP, it is the same *plus* the mirroring interface.

> 3) I don't want a bridge.
>
> You do realize that bridges frequently send the same packet to more
> than one destination. Consider the obvious case where the bridge has
> never seen a packet with that destination MAC before. Consider an ARP
> request.
>
> What you want is what bridges do.

I do not think that the vanilla Linux bridge code can do what the OP
wants. I guess it could if learning could be disabled, so the bridge
floods all traffic on all interfaces.

On Oct 31, 2:41 am, Pascal Hambourg
wrote:

> But I'm afraid that the OP and a bridge have a slightly different idea
> of what "appropriate interfaces" is. To a bridge, it is interfaces that
> have seen incoming traffic from the destination MAC address, or all
> interfaces if the destination is unknown or broadcast (I skip the
> multicast case). To the OP, it is the same *plus* the mirroring interface.

A bridge does whatever it's configured to do.

> > What you want is what bridges do.

> I do not think that the vanilla Linux bridge code can do what the OP
> wants. I guess it could if learning could be disabled, so the bridge
> floods all traffic on all interfaces.

Simply disabling learning will do exactly what the OP wants.

DS

David Schwartz a écrit :
>
> A bridge does whatever it's configured to do.

Within the limits of its configuration options and what it is able to do.

> Simply disabling learning will do exactly what the OP wants.

Not exactly. As far as I can see from a quick test, setting the bridge
ageing time to zero (brctl setageingtime 0) seems to disable
learning, but the bridge still knows its own MAC addresses, so traffic
received on a port destined to one of these MAC address won't be
forwarded to other ports.

jeniffer wrote:
> I have to implement port mirroring feature in linux.ie All inbound-
> outbound packets of a particular interface are mirrored to another
> interface. I need to implement it in both the bridging and routing
> paths.Is there any utility in linux which helps to do this?

A bit of coding around libpcap to sniff traffic on one or more
interfaces and then just dump them out the desired interface sounds
like it would do the trick. If the mirror interface is also being
sniffed it might require a bit more logic to avoid loops.

rick jones
--
web2.0 n, the dot.com reunion tour...
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Rick Jones wrote:

> jeniffer wrote:
>> I have to implement port mirroring feature in linux.ie All inbound-
>> outbound packets of a particular interface are mirrored to another
>> interface. I need to implement it in both the bridging and routing
>> paths.Is there any utility in linux which helps to do this?
>
> A bit of coding around libpcap to sniff traffic on one or more
> interfaces and then just dump them out the desired interface sounds
> like it would do the trick. If the mirror interface is also being
> sniffed it might require a bit more logic to avoid loops.

Something like tcpbridge?

Pascal Hambourg wrote:

> David Schwartz a écrit :
>>
>> A bridge does whatever it's configured to do.
>
> Within the limits of its configuration options and what it is able to do.
>
>> Simply disabling learning will do exactly what the OP wants.
>
> Not exactly. As far as I can see from a quick test, setting the bridge
> ageing time to zero (brctl setageingtime 0) seems to disable
> learning, but the bridge still knows its own MAC addresses, so traffic
> received on a port destined to one of these MAC address won't be
> forwarded to other ports.

True but you could do thomething like this:

ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
00:01:12:12:12:12 --dnat-target ACCEPT

Markus Rehbach a écrit :
> Pascal Hambourg wrote:
>
>>As far as I can see from a quick test, setting the bridge
>>ageing time to zero (brctl setageingtime 0) seems to disable
>>learning, but the bridge still knows its own MAC addresses, so traffic
>>received on a port destined to one of these MAC address won't be
>>forwarded to other ports.
>
> True but you could do thomething like this:
>
> ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
> 00:01:12:12:12:12 --dnat-target ACCEPT

How is this supposed to help ?

Markus Rehbach wrote:
> Rick Jones wrote:
> > A bit of coding around libpcap to sniff traffic on one or more
> > interfaces and then just dump them out the desired interface sounds
> > like it would do the trick. If the mirror interface is also being
> > sniffed it might require a bit more logic to avoid loops.

> Something like tcpbridge?

Perhaps, I've never seen tcpbridge.

Actually, I'm surprised that the Linux bridging code doesn't have
support for designating a mirror interface. I'd have thought it was
there already. Although I suspect the argument might be that if you
want to see traffic just sniff the interfaces making-up the bridge.

rick jones
--
a wide gulf separates "what if" from "if only"
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Pascal Hambourg wrote:

> Markus Rehbach a écrit :
>> Pascal Hambourg wrote:
>>
>>>As far as I can see from a quick test, setting the bridge
>>>ageing time to zero (brctl setageingtime 0) seems to disable
>>>learning, but the bridge still knows its own MAC addresses, so traffic
>>>received on a port destined to one of these MAC address won't be
>>>forwarded to other ports.
>>
>> True but you could do thomething like this:
>>
>> ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
>> 00:01:12:12:12:12 --dnat-target ACCEPT
>
> How is this supposed to help ?

That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
will be the MAC of other NIC), similar to the DNAT in iptables. But won't this
kill the communication, I mean instead of letting packets go to their preset
destination, this command will alter the destination. So this won't help.

HTH
--
Ashish Shukla
http://wahjava.wordpress.com/

On Oct 31, 10:05 am, Pascal Hambourg
wrote:

> Not exactly. As far as I can see from a quick test, setting the bridge
> ageing time to zero (brctl setageingtime 0) seems to disable
> learning, but the bridge still knows its own MAC addresses, so traffic
> received on a port destined to one of these MAC address won't be
> forwarded to other ports.

There is no reason a bridge should even have a MAC address. You can't
send packets to a bridge, only to a device connected to it.

DS

David Schwartz a écrit :
>
> There is no reason a bridge should even have a MAC address. You can't
> send packets to a bridge, only to a device connected to it.

Wireless access points and ethernet switches are bridges and have a MAC
address. Please keep in mind that we're in a Linux networking group, so
we're not talking about the pure bridge theory but about the Linux
implementation of a bridge. A Linux bridge, which is considered as an
ethernet interface which can send and receive packets, has at least one
MAC address inherited from the first bridged interface.

Ashish a écrit :
> Pascal Hambourg wrote:
>
>>>>As far as I can see from a quick test, setting the bridge
>>>>ageing time to zero (brctl setageingtime 0) seems to disable
>>>>learning, but the bridge still knows its own MAC addresses, so traffic
>>>>received on a port destined to one of these MAC address won't be
>>>>forwarded to other ports.
>>>
>>>True but you could do thomething like this:
>>>
>>>ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
>>>00:01:12:12:12:12 --dnat-target ACCEPT
>>
>>How is this supposed to help ?
>
> That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
> will be the MAC of other NIC), similar to the DNAT in iptables.

But why redirect only IPv4 traffic ? And what is that other NIC you're
talking about ?

> But won't this
> kill the communication, I mean instead of letting packets go to their preset
> destination, this command will alter the destination. So this won't help.

I'm afraid so. Unless it is set in promiscuous mode, the bridge
interface will ignore packets originally addressed to it if their
destination MAC address is altered. Besides, the original destination
MAC address is lost although one willing to do port mirroring may
considered it a valuable information.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pascal Hambourg wrote:
[...]
>>
>> That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
>> will be the MAC of other NIC), similar to the DNAT in iptables.
>
> But why redirect only IPv4 traffic ? And what is that other NIC you're
> talking about ?

Well Markus posted this, not me. I just interpreted that. The other NIC is the
one you wanted to redirect your traffic to or simply the sniffer interface.

>> But won't this
>> kill the communication, I mean instead of letting packets go to their preset
>> destination, this command will alter the destination. So this won't help.
>
> I'm afraid so. Unless it is set in promiscuous mode, the bridge
> interface will ignore packets originally addressed to it if their
> destination MAC address is altered. Besides, the original destination
> MAC address is lost although one willing to do port mirroring may
> considered it a valuable information.

True, ethernet interface needs to be set in promiscuous mode in order to become
a good sniffer interface.
- --
Ashish Shukla
http://wahjava.wordpress.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHKW2jHy+EEHYuXnQRAqTYAJ4jmfzFEhW8YbRug+AVrH 76+n8zeACgh0Qe
X05pDFdhK9zs7N4kbG/tl0s=
=ULzW
-----END PGP SIGNATURE-----

Ashish a écrit :
>
>>>That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
>>>will be the MAC of other NIC), similar to the DNAT in iptables.
>>
>>But why redirect only IPv4 traffic ? And what is that other NIC you're
>>talking about ?
>
> Well Markus posted this, not me. I just interpreted that.

Oops, sorry for the mistake.

> The other NIC is the
> one you wanted to redirect your traffic to or simply the sniffer interface.

Isn't a sniffer interface supposed to be in promiscuous mode, so this is
not required ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

,--- Pascal Hambourg writes:
| Ashish a écrit :
||

[...]

||| But why redirect only IPv4 traffic ? And what is that other NIC you're
||| talking about ?
||
|| Well Markus posted this, not me. I just interpreted that.

| Oops, sorry for the mistake.

np.

|| The other NIC is the
|| one you wanted to redirect your traffic to or simply the sniffer interface.

| Isn't a sniffer interface supposed to be in promiscuous mode, so this
| is not required ?

If you read my last post, you'll notice that I've already mentioned
that in the end.
- --
Ashish Shukla आशीष श�क�ल
http://wahjava.wordpress.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHKdgEHy+EEHYuXnQRAj4SAKClkV2NFdifKLfVYO9EyT lNEmY8vgCfWh8f
m9ZL4dIq0ubPU5G2WV+9wXw=
=p9+t
-----END PGP SIGNATURE-----