Port mirroring means that all the traffic passing thourgh a virtual switch is being mirrored to another switch port. This way it is quite easy to debug possible problems and see what is happening on the lab network.
Most hardware based switches offer port mirroring or SPAN-port which you can enable from the cli. My lab uses Open vSwitch on a inner part of the network, it is possible to add port mirroring to classic linux bridge, but Open vSwitch makes this so easy there is no real point doing things hard way.
Proxmox creates a separate tap interface for every interface you create for virtual machine. Below is a interface list of my capture server (id 999).
- Interface tap999i0 is used for management
- Interface tap999i1 is dedicated interface for port mirror.
root@host:~# ip l
33: tap999i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 12:49:c7:fd:3e:45 brd ff:ff:ff:ff:ff:ff
34: tap999i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000
link/ether aa:81:cb:ef:b6:ee brd ff:ff:ff:ff:ff:ff
Now that server is up and running, it is straightforward to mirror vmbr5 to tap999i1 interface.
root@host:~# ovs-vsctl -- --id=@p get port tap999i1 -- --id=@m create mirror name=spanport select-all=true output-port=@p -- set bridge vmbr5 mirrors=@m
d2380e0e-0d13-46cf-8fec-457b42c0aca0
root@host:~# ovs-vsctl list Mirror
_uuid : d2380e0e-0d13-46cf-8fec-457b42c0aca0
external_ids : {}
name : spanport
output_port : c74fbe5c-76bc-4003-9984-5db6940e074e
output_vlan : []
select_all : true
select_dst_port : []
select_src_port : []
select_vlan : []
snaplen : []
statistics : {tx_bytes=172027, tx_packets=751}
root@capture:~# tcpdump -i ens19 -nn icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens19, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:10:27.225136 IP 10.26.30.20 > 8.8.8.8: ICMP echo request, id 57837, seq 7, length 64
13:10:27.225136 IP 8.8.8.8 > 10.26.30.20: ICMP echo reply, id 57837, seq 7, length 64
13:10:27.506243 IP 10.26.30.20 > 8.8.8.8: ICMP echo request, id 57837, seq 8, length 64
13:10:27.527656 IP 8.8.8.8 > 10.26.30.20: ICMP echo reply, id 57837, seq 8, length 64
13:10:28.508026 IP 10.26.30.20 > 8.8.8.8: ICMP echo request, id 57837, seq 9, length 64
13:10:28.527392 IP 8.8.8.8 > 10.26.30.20: ICMP echo reply, id 57837, seq 9, length 64
So there it is, capture server sees traffic from the SPAN-port and now I’m able to save and analyze it as I want. My lab network uses VLAN for traffic separation but since I’m mirroring the bridge (vmbr5) all traffic gets mirrored despite the VLAN tagging.
Port mirrors don’t survive reboots so I created cronjob which starts mirror after @reboot.
Ok, that’s it. Hopefully you got something out of this and I’ll see you in next post.