Port Mirroring in Linux

Pascal Hambourg wrote:

> David Schwartz a écrit :
>>
>> A bridge does whatever it's configured to do.
>
> Within the limits of its configuration options and what it is able to do.
>
>> Simply disabling learning will do exactly what the OP wants.
>
> Not exactly. As far as I can see from a quick test, setting the bridge
> ageing time to zero (brctl setageingtime <brname> 0) seems to disable
> learning, but the bridge still knows its own MAC addresses, so traffic
> received on a port destined to one of these MAC address won't be
> forwarded to other ports.

True but you could do thomething like this:

ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
00:01:12:12:12:12 --dnat-target ACCEPT

Markus Rehbach a écrit :
> Pascal Hambourg wrote:
>
>>As far as I can see from a quick test, setting the bridge
>>ageing time to zero (brctl setageingtime <brname> 0) seems to disable
>>learning, but the bridge still knows its own MAC addresses, so traffic
>>received on a port destined to one of these MAC address won't be
>>forwarded to other ports.
>
> True but you could do thomething like this:
>
> ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
> 00:01:12:12:12:12 --dnat-target ACCEPT

How is this supposed to help ?

Markus Rehbach <Markus.Rehbach@gmx.de> wrote:
> Rick Jones wrote:
> > A bit of coding around libpcap to sniff traffic on one or more
> > interfaces and then just dump them out the desired interface sounds
> > like it would do the trick. If the mirror interface is also being
> > sniffed it might require a bit more logic to avoid loops.

> Something like tcpbridge?

Perhaps, I've never seen tcpbridge.

Actually, I'm surprised that the Linux bridging code doesn't have
support for designating a mirror interface. I'd have thought it was
there already. Although I suspect the argument might be that if you
want to see traffic just sniff the interfaces making-up the bridge.

rick jones
--
a wide gulf separates "what if" from "if only"
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Pascal Hambourg wrote:

> Markus Rehbach a écrit :
>> Pascal Hambourg wrote:
>>
>>>As far as I can see from a quick test, setting the bridge
>>>ageing time to zero (brctl setageingtime <brname> 0) seems to disable
>>>learning, but the bridge still knows its own MAC addresses, so traffic
>>>received on a port destined to one of these MAC address won't be
>>>forwarded to other ports.
>>
>> True but you could do thomething like this:
>>
>> ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
>> 00:01:12:12:12:12 --dnat-target ACCEPT
>
> How is this supposed to help ?

That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
will be the MAC of other NIC), similar to the DNAT in iptables. But won't this
kill the communication, I mean instead of letting packets go to their preset
destination, this command will alter the destination. So this won't help.

HTH
--
Ashish Shukla
http://wahjava.wordpress.com/

On Oct 31, 10:05 am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:

> Not exactly. As far as I can see from a quick test, setting the bridge
> ageing time to zero (brctl setageingtime <brname> 0) seems to disable
> learning, but the bridge still knows its own MAC addresses, so traffic
> received on a port destined to one of these MAC address won't be
> forwarded to other ports.

There is no reason a bridge should even have a MAC address. You can't
send packets to a bridge, only to a device connected to it.

DS

David Schwartz a écrit :
>
> There is no reason a bridge should even have a MAC address. You can't
> send packets to a bridge, only to a device connected to it.

Wireless access points and ethernet switches are bridges and have a MAC
address. Please keep in mind that we're in a Linux networking group, so
we're not talking about the pure bridge theory but about the Linux
implementation of a bridge. A Linux bridge, which is considered as an
ethernet interface which can send and receive packets, has at least one
MAC address inherited from the first bridged interface.

Ashish a écrit :
> Pascal Hambourg wrote:
>
>>>>As far as I can see from a quick test, setting the bridge
>>>>ageing time to zero (brctl setageingtime <brname> 0) seems to disable
>>>>learning, but the bridge still knows its own MAC addresses, so traffic
>>>>received on a port destined to one of these MAC address won't be
>>>>forwarded to other ports.
>>>
>>>True but you could do thomething like this:
>>>
>>>ebtables -t nat -A PREROUTING -i eth3 -p 0x0800 -j dnat --to-destination
>>>00:01:12:12:12:12 --dnat-target ACCEPT
>>
>>How is this supposed to help ?
>
> That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
> will be the MAC of other NIC), similar to the DNAT in iptables.

But why redirect only IPv4 traffic ? And what is that other NIC you're
talking about ?

> But won't this
> kill the communication, I mean instead of letting packets go to their preset
> destination, this command will alter the destination. So this won't help.

I'm afraid so. Unless it is set in promiscuous mode, the bridge
interface will ignore packets originally addressed to it if their
destination MAC address is altered. Besides, the original destination
MAC address is lost although one willing to do port mirroring may
considered it a valuable information.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pascal Hambourg wrote:
[...]
>>
>> That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
>> will be the MAC of other NIC), similar to the DNAT in iptables.
>
> But why redirect only IPv4 traffic ? And what is that other NIC you're
> talking about ?

Well Markus posted this, not me. I just interpreted that. The other NIC is the
one you wanted to redirect your traffic to or simply the sniffer interface.

>> But won't this
>> kill the communication, I mean instead of letting packets go to their preset
>> destination, this command will alter the destination. So this won't help.
>
> I'm afraid so. Unless it is set in promiscuous mode, the bridge
> interface will ignore packets originally addressed to it if their
> destination MAC address is altered. Besides, the original destination
> MAC address is lost although one willing to do port mirroring may
> considered it a valuable information.

True, ethernet interface needs to be set in promiscuous mode in order to become
a good sniffer interface.
- --
Ashish Shukla
http://wahjava.wordpress.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHKW2jHy+EEHYuXnQRAqTYAJ4jmfzFEhW8YbRug+AVrH 76+n8zeACgh0Qe
X05pDFdhK9zs7N4kbG/tl0s=
=ULzW
-----END PGP SIGNATURE-----

Ashish a écrit :
>
>>>That'll will redirect all IP (0x0800) traffic to MAC 00:01:12:12:12:12 (which
>>>will be the MAC of other NIC), similar to the DNAT in iptables.
>>
>>But why redirect only IPv4 traffic ? And what is that other NIC you're
>>talking about ?
>
> Well Markus posted this, not me. I just interpreted that.

Oops, sorry for the mistake.

> The other NIC is the
> one you wanted to redirect your traffic to or simply the sniffer interface.

Isn't a sniffer interface supposed to be in promiscuous mode, so this is
not required ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

,--- Pascal Hambourg writes:
| Ashish a écrit :
||

[...]

||| But why redirect only IPv4 traffic ? And what is that other NIC you're
||| talking about ?
||
|| Well Markus posted this, not me. I just interpreted that.

| Oops, sorry for the mistake.

np.

|| The other NIC is the
|| one you wanted to redirect your traffic to or simply the sniffer interface.

| Isn't a sniffer interface supposed to be in promiscuous mode, so this
| is not required ?

If you read my last post, you'll notice that I've already mentioned
that in the end.
- --
Ashish Shukla आशीष श�क�ल
http://wahjava.wordpress.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHKdgEHy+EEHYuXnQRAj4SAKClkV2NFdifKLfVYO9EyT lNEmY8vgCfWh8f
m9ZL4dIq0ubPU5G2WV+9wXw=
=p9+t
-----END PGP SIGNATURE-----