Linux Bridge Mirror Port

Linux Bridge is a core-supported bridge device that enables simple switch functionality. Now the demand is to listen to the cloud platform, the cloud host all the traffic. We're using bridge, not a powerful software device that uses vswitch. By accessing the information

http://backreference.org/2014/06/17/port-mirroring-with-linux-bridges/

Http://superuser.com/questions/753294/mirror-port-via-iptables

Http://askubuntu.com/questions/22562/copy-all-bridge-traffic-to-a-specific-interface

There are several ways to do this:

Iptables

Use the iptables to edit

Mangle Table Specific

-j Route (explicitly route packets, valid at prerouting)

Options

--iface <iface_name>

--ifindex <iface_idx>

You can also enter commands directly.

Iptables–i prerouting–t mangle–i eth0–j tee–gateway 192.168.200.1

Iptables–i postrouting–t mangle–j Tee–gateway 192.168.200.1

Description on the document:

The TEE target would clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must is the target, or you'll have to configure the nexthop to forward it further if

So desired.

--gateway ipaddr

Send the cloned packet to the host reachable at the given IP address. Use of 0.0.0.0, for IPV4 packets, or:: (IPV6) is invalid.

To forward all incoming traffic on eth0 to an Network Layer logging box:

-T mangle-a prerouting-i eth0-j TEE--gateway 2001:db8::1

The goal is tee, which clones the packet to another local network machine. However, it is necessary to note that the modification is the mangle table, to this step, the packet has actually been done Snat Dnat, obviously is not the cloud host originally came out of the package.

TC Tool

Daemonlogger

sudo daemonlogger-i <input_interface>-o <mirror_interface>

Where the arguments is explained as

-I <interface> Set interface to grab data from to <interface>. -O <interface> Disable logging, instead mirror traffic from-i <interface> to-o <interface>.

That would be easy.

Small experiment:

Grab the bag on the BOND0

Tcpdump-i bond0-n|grep 223.5.5.5tcpdump:warning:bond0:no IPv4 address assignedtcpdump:verbose output suppressed, use -V OR-VV for full protocol decodelistening on BOND0, Link-type EN10MB (Ethernet), capture size 65535 bytes10:51:01.16006 5 IP 10.10.82.226 > 223.5.5.5:icmp echo request, id 15978, SEQ 182, Length 6410:51:01.163128 IP 223.5.5.5 > 10.10.8 2.226:icmp Echo reply, id 15978, SEQ 182, Length 6410:51:02.161217 IP 10.10.82.226 > 223.5.5.5:icmp echo request, ID 15978, SEQ 183, Length 64

Grab the bag on the Vnet0

[Email protected]:~# tcpdump-i vnet0-n|grep 223.5.5.5tcpdump:warning:vnet0:no IPv4 address assignedtcpdump:verbose o Utput suppressed, Use-v OR-VV for full protocol decodelistening on Vnet0, Link-type EN10MB (Ethernet), capture size 6553 5 bytes17:31:42.458344 IP 192.168.138.14 > 223.5.5.5:icmp echo request, id 30953, seq 1, length 6417:31:42.461327 IP 2 23.5.5.5 > 192.168.138.14:icmp echo reply, id 30953, seq 1, Length 64

Can be found in bridge vlnet0 out of the package are native! Which is not through iptables Internet

The special need to note is why not directly export bond0 on the traffic, is because we do the iptables on the Snat, Dnat rules, specific reference to the previous article. It is because of the snat, Dnat so that the original package has changed, there is no more src or dest to monitor the associated cloud host traffic.

Linux Bridge Mirror Port