Creating a port mirror on the open vswitch bridgeCreating a private network for internal VMsWhy does my...
May I use a railway velocipede on actively-used British railways?
How long were the Apollo astronauts allowed to breathe 100% oxygen at 1 atmosphere continuously?
/bin/sh: 0: Can't open sh
Pauli exclusion principle - black holes
Why can't I hear fret buzz through the amp?
Locked-up DOS computer beeped on keypress. What mechanism caused that?
Three Subway Escalators
How did Jayne know when to shoot?
Who would use the word "manky"?
How to tell if JDK is available from within running JVM?
Real orthogonal and sign
Who determines when road center lines are solid or dashed?
Demographic consequences of closed loop reincarnation
How did J. J. Thomson establish the particle nature of the electron?
Could a US citizen born through "birth tourism" become President?
Why is Google approaching my VPS machine?
Is it legal for a supermarket to refuse to sell an adult beer if an adult with them doesn’t have their ID?
How to interpret a promising preprint that was never published in peer-review?
I have found a mistake on someone's code published online: what is the protocol?
Improving an O(N^2) function (all entities iterating over all other entities)
What is the name for the average of the largest and the smallest values in a given data set?
Company looks for long-term employees, but I know I won't be interested in staying long
In this iconic lunar orbit rendezvous photo of John Houbolt, why do arrows #5 and #6 point the "wrong" way?
"This used to be my phone number"
Creating a port mirror on the open vswitch bridge
Creating a private network for internal VMsWhy does my firewall (iptables) interfere in my bridge (brctl)?problem in mirroring interfaces' traffic using OVSUse a virtual machines network adapter as hosts default network adapterVirtualBox Bridge Networking: doesn't work when my laptop is on WifiQEMU Deb9 guest graphical install fails to get DHCP reply during installXen on Ubuntu 18.04 with IPv4 (NAT) and IPv6Isolating bridge interfaces from interfaces not connected to themRHCE Study Lab: KVM networking and ping issuesNo ip address assigned to kvm guest after it's cloned from another guest
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I have been trying to configure port mirror on Virtual bridge created using open vswitch.
I have created the following ports on Bridge demo_bridge using:
sudo ovs-vsctl add-port demo_bridge victim0
Bridge demo_bridge
Port "demo_bridge"
Interface demo_bridge
type: internal
Port "victim0"
Interface victim0
type: internal
Port "attacker0"
Interface attacker0
type: internal
Port "wireshark0"
Interface wireshark0
type: internal
ovs_version: "2.5.2"
I am conducting a simple experiment where VM1 (attached to attacker0) is going to attack VM2 (attached to victim0), and I need to mirror all traffic from attacker0 vport to wireshark0 (VM3 capturing network traffic). However, whenever I enable mirroring, I can no longer ping from VM1 (Attacker VM) to VM3 (Wireshark VM); furthermore I cannot see any mirrored traffic on VM3 either.
These are the two set of commands I have used to create mirror port, and none of them work:
sudo ovs-vsctl
-- set Bridge demo_bridge mirrors=@m1
-- --id=@attacker0 get Port attacker0
-- --id=@wireshark0 get Port wireshark0
-- --id=@m1 create Mirror name=port_mirror1 select-dst-port=@attacker0 select-src-port=@attacker0 output-port=@wireshark0
//From YOUTUBE Video
sudo ovs-vsctl
-- --id=@p get port victim0
-- --id=@m create mirror name=mirror0
-- add bridge demo_bridge mirrors @m
-- set mirror mirror0 output_port=@p
//Activate the mirror
sudo ovs-vsctl
-- --id=@p get port ens3
-- set mirror mirror0 select_dst_port=@p
-- set mirror mirror0 select_src_port=@p
These commands do create the mirror port, but they also break the network connection between the attacker VM1 and victim VM2. When the mirror is removed, I can ping to all VM just fine. The local interface on each VM (ens3) has a static IP addresses connected to the Bridge demobridge. /etc/network/interfaces
auto ens3
iface ens3 inet static
address 172.168.0.3
network 172.168.0.0/27
netmask 255.255.255.0
ubuntu virtual-machine kvm
asked Mar 3 '18 at 9:24
user3797683user3797683
62 bronze badges
add a comment |
I have been trying to configure port mirror on Virtual bridge created using open vswitch.
I have created the following ports on Bridge demo_bridge using:
sudo ovs-vsctl add-port demo_bridge victim0
Bridge demo_bridge
Port "demo_bridge"
Interface demo_bridge
type: internal
Port "victim0"
Interface victim0
type: internal
Port "attacker0"
Interface attacker0
type: internal
Port "wireshark0"
Interface wireshark0
type: internal
ovs_version: "2.5.2"
I am conducting a simple experiment where VM1 (attached to attacker0) is going to attack VM2 (attached to victim0), and I need to mirror all traffic from attacker0 vport to wireshark0 (VM3 capturing network traffic). However, whenever I enable mirroring, I can no longer ping from VM1 (Attacker VM) to VM3 (Wireshark VM); furthermore I cannot see any mirrored traffic on VM3 either.
These are the two set of commands I have used to create mirror port, and none of them work:
sudo ovs-vsctl
-- set Bridge demo_bridge mirrors=@m1
-- --id=@attacker0 get Port attacker0
-- --id=@wireshark0 get Port wireshark0
-- --id=@m1 create Mirror name=port_mirror1 select-dst-port=@attacker0 select-src-port=@attacker0 output-port=@wireshark0
//From YOUTUBE Video
sudo ovs-vsctl
-- --id=@p get port victim0
-- --id=@m create mirror name=mirror0
-- add bridge demo_bridge mirrors @m
-- set mirror mirror0 output_port=@p
//Activate the mirror
sudo ovs-vsctl
-- --id=@p get port ens3
-- set mirror mirror0 select_dst_port=@p
-- set mirror mirror0 select_src_port=@p
These commands do create the mirror port, but they also break the network connection between the attacker VM1 and victim VM2. When the mirror is removed, I can ping to all VM just fine. The local interface on each VM (ens3) has a static IP addresses connected to the Bridge demobridge. /etc/network/interfaces
auto ens3
iface ens3 inet static
address 172.168.0.3
network 172.168.0.0/27
netmask 255.255.255.0
ubuntu virtual-machine kvm
asked Mar 3 '18 at 9:24
user3797683user3797683
62 bronze badges
add a comment |
I have been trying to configure port mirror on Virtual bridge created using open vswitch.
I have created the following ports on Bridge demo_bridge using:
sudo ovs-vsctl add-port demo_bridge victim0
Bridge demo_bridge
Port "demo_bridge"
Interface demo_bridge
type: internal
Port "victim0"
Interface victim0
type: internal
Port "attacker0"
Interface attacker0
type: internal
Port "wireshark0"
Interface wireshark0
type: internal
ovs_version: "2.5.2"
I am conducting a simple experiment where VM1 (attached to attacker0) is going to attack VM2 (attached to victim0), and I need to mirror all traffic from attacker0 vport to wireshark0 (VM3 capturing network traffic). However, whenever I enable mirroring, I can no longer ping from VM1 (Attacker VM) to VM3 (Wireshark VM); furthermore I cannot see any mirrored traffic on VM3 either.
These are the two set of commands I have used to create mirror port, and none of them work:
sudo ovs-vsctl
-- set Bridge demo_bridge mirrors=@m1
-- --id=@attacker0 get Port attacker0
-- --id=@wireshark0 get Port wireshark0
-- --id=@m1 create Mirror name=port_mirror1 select-dst-port=@attacker0 select-src-port=@attacker0 output-port=@wireshark0
//From YOUTUBE Video
sudo ovs-vsctl
-- --id=@p get port victim0
-- --id=@m create mirror name=mirror0
-- add bridge demo_bridge mirrors @m
-- set mirror mirror0 output_port=@p
//Activate the mirror
sudo ovs-vsctl
-- --id=@p get port ens3
-- set mirror mirror0 select_dst_port=@p
-- set mirror mirror0 select_src_port=@p
These commands do create the mirror port, but they also break the network connection between the attacker VM1 and victim VM2. When the mirror is removed, I can ping to all VM just fine. The local interface on each VM (ens3) has a static IP addresses connected to the Bridge demobridge. /etc/network/interfaces
auto ens3
iface ens3 inet static
address 172.168.0.3
network 172.168.0.0/27
netmask 255.255.255.0
ubuntu virtual-machine kvm
asked Mar 3 '18 at 9:24
user3797683user3797683
62 bronze badges
I have been trying to configure port mirror on Virtual bridge created using open vswitch.
I have created the following ports on Bridge demo_bridge using:
sudo ovs-vsctl add-port demo_bridge victim0
Bridge demo_bridge
Port "demo_bridge"
Interface demo_bridge
type: internal
Port "victim0"
Interface victim0
type: internal
Port "attacker0"
Interface attacker0
type: internal
Port "wireshark0"
Interface wireshark0
type: internal
ovs_version: "2.5.2"
I am conducting a simple experiment where VM1 (attached to attacker0) is going to attack VM2 (attached to victim0), and I need to mirror all traffic from attacker0 vport to wireshark0 (VM3 capturing network traffic). However, whenever I enable mirroring, I can no longer ping from VM1 (Attacker VM) to VM3 (Wireshark VM); furthermore I cannot see any mirrored traffic on VM3 either.
These are the two set of commands I have used to create mirror port, and none of them work:
sudo ovs-vsctl
-- set Bridge demo_bridge mirrors=@m1
-- --id=@attacker0 get Port attacker0
-- --id=@wireshark0 get Port wireshark0
-- --id=@m1 create Mirror name=port_mirror1 select-dst-port=@attacker0 select-src-port=@attacker0 output-port=@wireshark0
//From YOUTUBE Video
sudo ovs-vsctl
-- --id=@p get port victim0
-- --id=@m create mirror name=mirror0
-- add bridge demo_bridge mirrors @m
-- set mirror mirror0 output_port=@p
//Activate the mirror
sudo ovs-vsctl
-- --id=@p get port ens3
-- set mirror mirror0 select_dst_port=@p
-- set mirror mirror0 select_src_port=@p
These commands do create the mirror port, but they also break the network connection between the attacker VM1 and victim VM2. When the mirror is removed, I can ping to all VM just fine. The local interface on each VM (ens3) has a static IP addresses connected to the Bridge demobridge. /etc/network/interfaces
auto ens3
iface ens3 inet static
address 172.168.0.3
network 172.168.0.0/27
netmask 255.255.255.0
ubuntu virtual-machine kvm
ubuntu virtual-machine kvm
asked Mar 3 '18 at 9:24
user3797683user3797683
62 bronze badges
asked Mar 3 '18 at 9:24
user3797683user3797683
62 bronze badges
asked Mar 3 '18 at 9:24
user3797683user3797683
62 bronze badges
asked Mar 3 '18 at 9:24
user3797683user3797683
62 bronze badges
asked Mar 3 '18 at 9:24
user3797683user3797683
62 bronze badges
62 bronze badges
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Have you tried using tcpdump to listen on the interface of the vm?
I'm not sure what you are using as a hypervisor, but you should be able to run ip addr, and if you can see the ports of the vswitch; in that output you can capture on those ports in tcpdump.
You can also run tcpdump -D, and that will tell you what libpcap is aware of on the host machine for capturing.
For example if you are running KVM as the hypervisor you can get the mac address and name of the port the vm is associated with.
# Assuming your xml files for the vms are in the default location also.
cat /etc/libvirt/qemu/{{ name_of_vm }}.xml | grep -A 2 interface
From this output you can match up the output from ip addr using the last two digits from the mac address as a filter.
ip a | grep -B 1 -i {{ last_two }}
The interface that is returned can then be used by tcpdump.
tcpdump -ni {{ vnet_name }} -s0 -vw /var/tmp/{{ vnet_port_out }}.pcap
This will capture everything on that port unfiltered.
answered Dec 25 '18 at 0:54
Billy GallowayBilly Galloway
1
add a comment |
I have the same question, this my test case:
use vm3's NIC to receive ovs traffic, after set mirror vm3 break network and can not reveive mirror traffic.
I found this image show what between ovs port and vm nic
use ifconfig can see the above image say qbr qvb qvo tap
use tcpdump captrue qbrxxx,qvoxxx,qvbxxx,tapxxx, can see only tapxxx can not reveive mirror traffic(have set 4 nic promisc)
answered 1 hour ago
jianan yangjianan yang
11 bronze badge
New contributor
jianan yang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f427859%2fcreating-a-port-mirror-on-the-open-vswitch-bridge%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Have you tried using tcpdump to listen on the interface of the vm?
I'm not sure what you are using as a hypervisor, but you should be able to run ip addr, and if you can see the ports of the vswitch; in that output you can capture on those ports in tcpdump.
You can also run tcpdump -D, and that will tell you what libpcap is aware of on the host machine for capturing.
For example if you are running KVM as the hypervisor you can get the mac address and name of the port the vm is associated with.
# Assuming your xml files for the vms are in the default location also.
cat /etc/libvirt/qemu/{{ name_of_vm }}.xml | grep -A 2 interface
From this output you can match up the output from ip addr using the last two digits from the mac address as a filter.
ip a | grep -B 1 -i {{ last_two }}
The interface that is returned can then be used by tcpdump.
tcpdump -ni {{ vnet_name }} -s0 -vw /var/tmp/{{ vnet_port_out }}.pcap
This will capture everything on that port unfiltered.
answered Dec 25 '18 at 0:54
Billy GallowayBilly Galloway
1
add a comment |
Have you tried using tcpdump to listen on the interface of the vm?
I'm not sure what you are using as a hypervisor, but you should be able to run ip addr, and if you can see the ports of the vswitch; in that output you can capture on those ports in tcpdump.
You can also run tcpdump -D, and that will tell you what libpcap is aware of on the host machine for capturing.
For example if you are running KVM as the hypervisor you can get the mac address and name of the port the vm is associated with.
# Assuming your xml files for the vms are in the default location also.
cat /etc/libvirt/qemu/{{ name_of_vm }}.xml | grep -A 2 interface
From this output you can match up the output from ip addr using the last two digits from the mac address as a filter.
ip a | grep -B 1 -i {{ last_two }}
The interface that is returned can then be used by tcpdump.
tcpdump -ni {{ vnet_name }} -s0 -vw /var/tmp/{{ vnet_port_out }}.pcap
This will capture everything on that port unfiltered.
answered Dec 25 '18 at 0:54
Billy GallowayBilly Galloway
1
add a comment |
Have you tried using tcpdump to listen on the interface of the vm?
I'm not sure what you are using as a hypervisor, but you should be able to run ip addr, and if you can see the ports of the vswitch; in that output you can capture on those ports in tcpdump.
You can also run tcpdump -D, and that will tell you what libpcap is aware of on the host machine for capturing.
For example if you are running KVM as the hypervisor you can get the mac address and name of the port the vm is associated with.
# Assuming your xml files for the vms are in the default location also.
cat /etc/libvirt/qemu/{{ name_of_vm }}.xml | grep -A 2 interface
From this output you can match up the output from ip addr using the last two digits from the mac address as a filter.
ip a | grep -B 1 -i {{ last_two }}
The interface that is returned can then be used by tcpdump.
tcpdump -ni {{ vnet_name }} -s0 -vw /var/tmp/{{ vnet_port_out }}.pcap
This will capture everything on that port unfiltered.
answered Dec 25 '18 at 0:54
Billy GallowayBilly Galloway
1
Have you tried using tcpdump to listen on the interface of the vm?
I'm not sure what you are using as a hypervisor, but you should be able to run ip addr, and if you can see the ports of the vswitch; in that output you can capture on those ports in tcpdump.
You can also run tcpdump -D, and that will tell you what libpcap is aware of on the host machine for capturing.
For example if you are running KVM as the hypervisor you can get the mac address and name of the port the vm is associated with.
# Assuming your xml files for the vms are in the default location also.
cat /etc/libvirt/qemu/{{ name_of_vm }}.xml | grep -A 2 interface
From this output you can match up the output from ip addr using the last two digits from the mac address as a filter.
ip a | grep -B 1 -i {{ last_two }}
The interface that is returned can then be used by tcpdump.
tcpdump -ni {{ vnet_name }} -s0 -vw /var/tmp/{{ vnet_port_out }}.pcap
This will capture everything on that port unfiltered.
answered Dec 25 '18 at 0:54
Billy GallowayBilly Galloway
1
answered Dec 25 '18 at 0:54
Billy GallowayBilly Galloway
1
answered Dec 25 '18 at 0:54
Billy GallowayBilly Galloway
1
answered Dec 25 '18 at 0:54
Billy GallowayBilly Galloway
1
1
add a comment |
add a comment |
I have the same question, this my test case:
use vm3's NIC to receive ovs traffic, after set mirror vm3 break network and can not reveive mirror traffic.
I found this image show what between ovs port and vm nic
use ifconfig can see the above image say qbr qvb qvo tap
use tcpdump captrue qbrxxx,qvoxxx,qvbxxx,tapxxx, can see only tapxxx can not reveive mirror traffic(have set 4 nic promisc)
answered 1 hour ago
jianan yangjianan yang
11 bronze badge
New contributor
jianan yang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have the same question, this my test case:
use vm3's NIC to receive ovs traffic, after set mirror vm3 break network and can not reveive mirror traffic.
I found this image show what between ovs port and vm nic
use ifconfig can see the above image say qbr qvb qvo tap
use tcpdump captrue qbrxxx,qvoxxx,qvbxxx,tapxxx, can see only tapxxx can not reveive mirror traffic(have set 4 nic promisc)
answered 1 hour ago
jianan yangjianan yang
11 bronze badge
New contributor
jianan yang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have the same question, this my test case:
use vm3's NIC to receive ovs traffic, after set mirror vm3 break network and can not reveive mirror traffic.
I found this image show what between ovs port and vm nic
use ifconfig can see the above image say qbr qvb qvo tap
use tcpdump captrue qbrxxx,qvoxxx,qvbxxx,tapxxx, can see only tapxxx can not reveive mirror traffic(have set 4 nic promisc)
answered 1 hour ago
jianan yangjianan yang
11 bronze badge
New contributor
jianan yang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have the same question, this my test case:
use vm3's NIC to receive ovs traffic, after set mirror vm3 break network and can not reveive mirror traffic.
I found this image show what between ovs port and vm nic
use ifconfig can see the above image say qbr qvb qvo tap
use tcpdump captrue qbrxxx,qvoxxx,qvbxxx,tapxxx, can see only tapxxx can not reveive mirror traffic(have set 4 nic promisc)
answered 1 hour ago
jianan yangjianan yang
11 bronze badge
New contributor
jianan yang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 1 hour ago
jianan yangjianan yang
11 bronze badge
New contributor
jianan yang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 1 hour ago
jianan yangjianan yang
11 bronze badge
answered 1 hour ago
jianan yangjianan yang
11 bronze badge
11 bronze badge
New contributor
jianan yang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
jianan yang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f427859%2fcreating-a-port-mirror-on-the-open-vswitch-bridge%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
