{"id":217,"date":"2016-05-18T13:07:44","date_gmt":"2016-05-18T18:07:44","guid":{"rendered":"https:\/\/adamkuj.net\/blog\/?p=217"},"modified":"2021-05-11T08:59:41","modified_gmt":"2021-05-11T13:59:41","slug":"pro-tip-port-mirroring-in-linux","status":"publish","type":"post","link":"https:\/\/adamkuj.net\/blog\/2016\/05\/18\/pro-tip-port-mirroring-in-linux\/","title":{"rendered":"Pro-Tip: Port Mirroring In Linux"},"content":{"rendered":"

Sometimes a span\/mirror port isn’t available on a switch when you need one. However, if you just need to monitor traffic from\/to a Linux server, you can have the Linux server mirror it’s own traffic toward a collector. You just need a spare NIC on the Linux system.<\/p>\n

For example, if you want to mirror all traffic going in\/out of eth0, and send it out eth1 toward a collector, you can do that with the ‘tc’ subsystem. Some examples of this exist online. However, what they don’t tell you is that if eth1 goes down (unplugged, etc), that results in eth0 blocking all traffic — not good! I came up with a workaround for that problem using bridge and dummy interfaces. It’s kludgy, but it works!<\/p>\n

See below for all the required config files \/ scripts. (don’t forget to chmod the scripts so root can run them!)<\/p>\n

[shell title=”\/etc\/network\/interfaces” language=”true”]
\n# The loopback network interface
\nauto lo
\niface lo inet loopback<\/p>\n

# The primary network interface
\nauto eth0
\niface eth0 inet static
\naddress 192.168.1.123
\nnetmask 255.255.255.20
\ngateway 192.168.1.254
\ndns-nameservers 8.8.8.8<\/p>\n

# physical mirror port toward collector
\nauto eth1
\niface eth1 inet static
\naddress 127.1.1.1
\nnetmask 255.255.255.255
\nup ip addr del 127.1.1.1\/32 dev eth1;:<\/p>\n

# always-up mirror port toward dev null
\nauto dummy0
\niface dummy0 inet static
\naddress 127.4.4.4
\nnetmask 255.255.255.255
\npre-up modprobe dummy;:
\nup ip addr del 127.4.4.4\/32 dev dummy0;:<\/p>\n

# bridge of eth1 and dummy0
\n# this is so that it always stays up, even if eth1 is down
\nauto br0
\niface br0 inet static
\nbridge_ports eth1 dummy0
\naddress 127.5.5.5
\nnetmask 255.255.255.255
\nup ip addr del 127.5.5.5\/32 dev br0;:
\npost-up \/etc\/network\/mirror-up.sh;:
\npre-down \/etc\/network\/mirror-down.sh;:
\n[\/shell]<\/p>\n

[bash title=”\/etc\/network\/mirror-up.sh” language=”true”]
\n#!\/bin\/sh<\/p>\n

# ALK 2014-10-23
\n# Send all ‘source_if’ traffic (ingress & egress) to collector box on ‘dest_if’<\/p>\n

# Normally called by boot process or ifup. i.e.
\n# –\/etc\/network\/interfaces–
\n# iface eth0 inet static
\n# address X.X.X.X
\n# netmask Y.Y.Y.Y
\n# post-up \/etc\/network\/mirror-up.sh;:<\/p>\n

source_if=eth0
\ndest_if=br0<\/p>\n

# enable the destination port
\nifconfig $dest_if up;:<\/p>\n

# mirror ingress traffic
\ntc qdisc add dev $source_if ingress;:
\ntc filter add dev $source_if parent ffff: \\
\nprotocol all \\
\nu32 match u8 0 0 \\
\naction mirred egress mirror dev $dest_if;:<\/p>\n

# mirror egress traffic
\ntc qdisc add dev $source_if handle 1: root prio;:
\ntc filter add dev $source_if parent 1: \\
\nprotocol all \\
\nu32 match u8 0 0 \\
\naction mirred egress mirror dev $dest_if;:
\n[\/bash]<\/p>\n

[bash title=”\/etc\/network\/mirror-down.sh” language=”true”]
\n#!\/bin\/sh<\/p>\n

# ALK 2014-10-23
\n# De-provision mirroring config (See mirror-up.sh for provisioning)<\/p>\n

# Normally called by boot process or ifdown. i.e.
\n# –\/etc\/network\/interfaces–
\n# iface eth0 inet static
\n# address X.X.X.X
\n# netmask Y.Y.Y.Y
\n# pre-down \/etc\/network\/mirror-down.sh;:<\/p>\n

source_if=eth0<\/p>\n

# de-provision ingress mirroring
\ntc qdisc del dev $source_if ingress;:<\/p>\n

# de-provisoin egress mirroring
\ntc qdisc del dev $source_if root;:
\n[\/bash]<\/p>\n","protected":false},"excerpt":{"rendered":"

Sometimes a span\/mirror port isn’t available on a switch when you need one. However, if you just need to monitor traffic from\/to a Linux server, you can have the Linux server mirror it’s own traffic toward a collector. You just need a spare NIC on the Linux system. For example, if you want to mirror all […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[33,32,4,35,36,34,31],"class_list":["post-217","post","type-post","status-publish","format-standard","hentry","category-networking-tools","tag-bash","tag-ifconfig","tag-linux","tag-mirror","tag-monitor","tag-span","tag-tc"],"_links":{"self":[{"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/posts\/217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/comments?post=217"}],"version-history":[{"count":12,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/posts\/217\/revisions"}],"predecessor-version":[{"id":313,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/posts\/217\/revisions\/313"}],"wp:attachment":[{"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/media?parent=217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/categories?post=217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/tags?post=217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}