Port Mirroring in Linux

Hi

I have to implement port mirroring feature in linux.ie All inbound-
outbound packets of a particular interface are mirrored to another
interface. I need to implement it in both the bridging and routing
paths.Is there any utility in linux which helps to do this?

Please help!


Thanks,
Jeniffer.

On Tue, 30 Oct 2007 09:23:52 +0000, jeniffer rearranged some electrons to
say:

> Hi
>
> I have to implement port mirroring feature in linux.ie All inbound-
> outbound packets of a particular interface are mirrored to another
> interface. I need to implement it in both the bridging and routing
> paths.Is there any utility in linux which helps to do this?
>
> Please help!
>
>
> Thanks,
> Jeniffer.

Are you trying to set up a bridge?
http://www.tldp.org/HOWTO/Bridge/index.html

PS Good luck on your homework....

On Oct 30, 2:50 pm, david <n...@nospam.com> wrote:
> On Tue, 30 Oct 2007 09:23:52 +0000, jeniffer rearranged some electrons to
> say:
>
> > Hi
>
> > I have to implement port mirroring feature in linux.ie All inbound-
> > outbound packets of a particular interface are mirrored to another
> > interface. I need to implement it in both the bridging and routing
> > paths.Is there any utility in linux which helps to do this?
>
> > Please help!
>
> > Thanks,
> > Jeniffer.
>
> Are you trying to set up a bridge?http://www.tldp.org/HOWTO/Bridge/index.html
>
> PS Good luck on your homework....

thanks for the reply but No, I dont have to set up a bridge.A bridge
looks at its table's entry and says that packets with the mac 'Mi'
must be forwarding to interface X.Bridge does flooding,learning and
forwarding.
I need a behavior where I say that all packets coming and going on an
interface X must be given to another interface Y.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

jeniffer wrote:

> thanks for the reply but No, I dont have to set up a bridge.A bridge
> looks at its table's entry and says that packets with the mac 'Mi'
> must be forwarding to interface X.Bridge does flooding,learning and
> forwarding.
> I need a behavior where I say that all packets coming and going on an
> interface X must be given to another interface Y.

You mean having something like an interface "eth1" which has all the
traffic "eth0" has. So if you wanted to sniff activity on "eth0", you can
simply sniff on "eth1", right...

- --
Ashish Shukla
http://wahjava.wordpress.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHJynoHy+EEHYuXnQRAkZGAKCbZ3spzOVrNFzipNn+Sl ieWrbvVACgrvQM
3tmI9T5iZgcIMG6Lp6/1Zg8=
=/rJJ
-----END PGP SIGNATURE-----

On Oct 30, 5:07 am, jeniffer <zenith.of.perfect...@gmail.com> wrote:

> thanks for the reply but No, I dont have to set up a bridge.A bridge
> looks at its table's entry and says that packets with the mac 'Mi'
> must be forwarding to interface X.Bridge does flooding,learning and
> forwarding.

Right.

> I need a behavior where I say that all packets coming and going on an
> interface X must be given to another interface Y.

That's what a bridge does. As you said above, it looks at its table's
entry and decides which interfaces to forward a packet to.

You are saying:

1) A bridge takes a packet and forwards it onto the appropriate
interfaces.

2) I want to take packets and forward them to appropriate interfaces.

3) I don't want a bridge.

You do realize that bridges frequently send the same packet to more
than one destination. Consider the obvious case where the bridge has
never seen a packet with that destination MAC before. Consider an ARP
request.

What you want is what bridges do.

DS

Hello,

David Schwartz a écrit :
> On Oct 30, 5:07 am, jeniffer <zenith.of.perfect...@gmail.com> wrote:
>
>>I need a behavior where I say that all packets coming and going on an
>>interface X must be given to another interface Y.
>
> That's what a bridge does. As you said above, it looks at its table's
> entry and decides which interfaces to forward a packet to.
>
> You are saying:
>
> 1) A bridge takes a packet and forwards it onto the appropriate
> interfaces.
>
> 2) I want to take packets and forward them to appropriate interfaces.

But I'm afraid that the OP and a bridge have a slightly different idea
of what "appropriate interfaces" is. To a bridge, it is interfaces that
have seen incoming traffic from the destination MAC address, or all
interfaces if the destination is unknown or broadcast (I skip the
multicast case). To the OP, it is the same *plus* the mirroring interface.

> 3) I don't want a bridge.
>
> You do realize that bridges frequently send the same packet to more
> than one destination. Consider the obvious case where the bridge has
> never seen a packet with that destination MAC before. Consider an ARP
> request.
>
> What you want is what bridges do.

I do not think that the vanilla Linux bridge code can do what the OP
wants. I guess it could if learning could be disabled, so the bridge
floods all traffic on all interfaces.

On Oct 31, 2:41 am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:

> But I'm afraid that the OP and a bridge have a slightly different idea
> of what "appropriate interfaces" is. To a bridge, it is interfaces that
> have seen incoming traffic from the destination MAC address, or all
> interfaces if the destination is unknown or broadcast (I skip the
> multicast case). To the OP, it is the same *plus* the mirroring interface.

A bridge does whatever it's configured to do.

> > What you want is what bridges do.

> I do not think that the vanilla Linux bridge code can do what the OP
> wants. I guess it could if learning could be disabled, so the bridge
> floods all traffic on all interfaces.

Simply disabling learning will do exactly what the OP wants.

DS

David Schwartz a écrit :
>
> A bridge does whatever it's configured to do.

Within the limits of its configuration options and what it is able to do.

> Simply disabling learning will do exactly what the OP wants.

Not exactly. As far as I can see from a quick test, setting the bridge
ageing time to zero (brctl setageingtime <brname> 0) seems to disable
learning, but the bridge still knows its own MAC addresses, so traffic
received on a port destined to one of these MAC address won't be
forwarded to other ports.

jeniffer <zenith.of.perfection@gmail.com> wrote:
> I have to implement port mirroring feature in linux.ie All inbound-
> outbound packets of a particular interface are mirrored to another
> interface. I need to implement it in both the bridging and routing
> paths.Is there any utility in linux which helps to do this?

A bit of coding around libpcap to sniff traffic on one or more
interfaces and then just dump them out the desired interface sounds
like it would do the trick. If the mirror interface is also being
sniffed it might require a bit more logic to avoid loops.

rick jones
--
web2.0 n, the dot.com reunion tour...
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Rick Jones wrote:

> jeniffer <zenith.of.perfection@gmail.com> wrote:
>> I have to implement port mirroring feature in linux.ie All inbound-
>> outbound packets of a particular interface are mirrored to another
>> interface. I need to implement it in both the bridging and routing
>> paths.Is there any utility in linux which helps to do this?
>
> A bit of coding around libpcap to sniff traffic on one or more
> interfaces and then just dump them out the desired interface sounds
> like it would do the trick. If the mirror interface is also being
> sniffed it might require a bit more logic to avoid loops.

Something like tcpbridge?