4

I have an EC2 instance, with 3 AWS instances on it.

Now I want to be able to capture all the traffic(inbound and outbound) that goes to the 3 instances in one AWS instance (mirror the traffic to this instance).

Real world networks: Use a TAP or SPAN port on the router.

But in Virtualisated AWS environment how can I do this?

pnuts
  • 58,317
  • 11
  • 87
  • 139
deeks jain
  • 41
  • 1
  • 4
  • That is not directly possible. Depending on the reason why you need to capture the traffic, there [*might* be a workaround](https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/). – Michael - sqlbot Nov 10 '15 at 17:43
  • I have built a NIDS which needs to monitor the traffic that's going to the AWS instances in my VPC. Is there no way I can get those packets? – deeks jain Nov 10 '15 at 21:00

3 Answers3

3

AWS provides the ability to log and monitor the traffic flowing between instances, subnets or the entire VPC.

See their VPC Traffic Flows product - https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/

You are limited in what you can do in AWS in terms of network capture, however if you need lower level data capture, you can execute the following on the servers you wish to capture network traffic for. 

tcpdump –p –i eth0 –w capture.cap

The capture.cap file contains packet capture of traffic through the ENI device.

BestPractices
  • 12,738
  • 29
  • 96
  • 140
  • I needed something that would enable me to capture the entire packets to perform analysis on them. The flow logs provide information of the packets but I need the entire packet with payload and the headers intact. – deeks jain Nov 10 '15 at 20:56
  • Updated my answer based on your comment – BestPractices Nov 10 '15 at 21:17
  • Thank you. How could I do it in the scenario described: Where I have 3 instances in the same VPC, I need to monitor traffic to and from all three of them. One way is run tcpdump on each. Is there any other way that I can get all the above traffic onto another instance running on AWS in the same VPC (just like what a distributed switch with Span port does) – deeks jain Nov 10 '15 at 21:53
  • well, you could certainly sync the tcp dump files to the 4th instance using rsync or syslog. Other than that, there's not a way to sniff the traffic in AWS like how you'd probably like to do it. – BestPractices Nov 11 '15 at 22:34
2

Because of its scale, the VPC network infrastructure was implemented as a software-defined network. It emulates Ethernet but it isn't Ethernet. There are no collision or broadcast domains, and no multicast. In fact, when one instance "arps" for another one, even that traffic never makes it to the destination instance -- the (correct) arp response is actually generated by the network. And, there is no provision for port mirroring.

Aside from running tcpdump on an instance itself, the only alternative that comes to mind involves a layer 3 setup.

You'd configure a separate instance -- where you'd be capturing the traffic -- and then use iptables to NAT the traffic on behalf of the internal instance(s) whose traffic you're intercepting. The capture/NAT instance would be placed on a "public" subnet (definition: a subnet whose default gateway is the igw-xxxxxxxx Internet Gateway object) and would have the monitored instance's public IP(s) attached to it, instead of them being attached to the instance where the traffic ultimately terminates. The capture instance's "IP source/dest check" attribute would be disabled.

Then, the monitored instances would be placed on a private subnet (definition: a subnet whose default route is not the igw). This subnet's default gateway would point to the capture/NAT instance, as the return path for all of the NAT-ed traffic for translation in the reverse direction.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
0

Previously, there was no ability to mirror traffic natively in AWS. You had to use a workaround to route packets where you wanted them. That's now changed with the new AWS announcement of VPC traffic mirroring.

Basically, you can mirror traffic from EC2 instances or entire VPCs to a destination of your choosing. This is actually easier than on-premises in many cases because you don't need to go through the network team. On the flip side, it will make it easier for attackers to snoop on traffic if they gain administrative controls of systems. I recorded a lightboard video to explain AWS VPC traffic mirroring and why it's important for security visibility.

Tyson Supasatit
  • 1