0

For testing purposes, I am using Open vswitch to mirror traffic from 2 interfaces eth1 and eth2 to eth3.

Added eth1, eth2 and eth3 to the bridge

I am using the following command to set the mirroring:

ovs-vsctl -- set Bridge br0 mirrors=@m \
 -- --id=@eth1 get Port eth1 \
 -- --id=@eth2 get Port eth2 \
 -- --id=@eth3 get Port eth3 \
 -- --id=@m create Mirror name=e1e2toe3 select-dst-port=@eth1 select-src-port=@eth1 output-port=@eth3

A node with tcpdump is connected to eth3.

tcpdump shows only layer2 traffic: ARP, CDP (Cisco devices connected to eth1 and eth2) conversations between devices connected to eth1 and eth2, but no upper layers: ex: pings, ssh, telnet not visible.

enter image description here

Any hint?

AJN
  • 1,196
  • 2
  • 19
  • 47

1 Answers1

1

Make sure your interfaces are set into promiscuous mode, since switches, by default, will ignore traffic being sent to them unless their ports are set to promiscuous mode:

ifconfig eth1 up

ifconfig eth1 promisc

Sources:

http://www.tcpdump.org/faq.html#q6

https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode

Failing that, use tcprewrite to change the destination MAC/IP addresses of the replayed traffic, assuming you're replaying a .pcap file. (I think you might just have to change one of the two but I can't remember which)

The following guide tells you how to do this:

http://xmodulo.com/how-to-capture-and-replay-network-traffic-on-linux.html

Community
  • 1
  • 1
Alex Hunter
  • 138
  • 2
  • 10