Port mirroring

Open vSwitch allows you to direct a copy of the traffic flow from one or more interfaces to another. It can also organize traffic redirection from the entire VLAN to a specific port or vice versa. Only incoming traffic, only outgoing traffic, or both types of traffic can be mirrored. Using this feature will allow you to monitor network traffic transmitted between instances in order to detect (prevent) computer attacks.

Example:

Mirroring traffic from the vnet2 interface, which belongs to the same instance, to the mirror0 port specially created for listening with the type internal:

sudo ovs-vsctl -- set Bridge ovs-sw0 mirrors=@m -- \
--id=@mirror0 get Port mirror0 -- --id=@vnet2 get Port vnet2 -- \
--id=@m create Mirror name=mymirror select-dst-port=@vnet2 \
select-src-port=@vnet2 output-port=@mirror0

where the –id=@<variable_name> construct determines the use of the variable;

the command set Bridge ovs-sw0 mirrors=@m creates a mirror, the name and parameters of which are obtained from the variable @m;

the command –id=@mirror0 get Port mirror0 ––id=@vnet2 get Port vnet2 determines the values of the variables @mirror0, @vnet2 - the identifiers of the corresponding ports are written;

the command –id=@m create Mirror name=mymirror select-dst-port=@vnet2 select-src-port=@vnet2 output-port=@mirror0 determines the value of the variable @m - the name and mirror parameters;

select-dst-port is incoming traffic mirroring;

select-src-port is outbound traffic mirroring;

output-port is place of traffic redirection.

With the tcpdump console utility running on the node, you can listen to all traffic coming to, for example, the mirror0 port. To do this, you need to run the command:

tcpdump -i mirror0

It is also possible to organize relaying of all packets, for example, those that came to the port eth0 or eth1 to the port eth2:

sudo ovs-vsctl -- set Bridge ovs-sw0 mirrors=@m \
-- --id=@eth0 get Port eth0 -- --id=@eth1 get Port eth1 \
-- --id=@eth2 get Port eth2 \
-- --id=@m create Mirror name=mymirror -- select-dst-port=@eth0,@eth1 \
select-src-port=@eth0,@eth1 output-port=@eth2

where the –id=@<variable_name> construct determines the use of the variable;

the set Bridge ovs-sw0 mirrors=@m command creates a mirror whose name and parameters are obtained from the @m variable;

the command ––id=@eth0 get Port eth0 –id=@eth1 get Port eth1 –id=@eth2 get Port eth2 determines the values of the variables @eth0, @eth1 and ` @eth2`;

the command –id=@m create Mirror name=mymirror select-dst-port=@eth0, @eth1 select-src-port=@eth0,@eth1 output-port=@eth2 defines the value of the variable @m is the name and parameters of the mirror are written;

select-dst-port is incoming traffic mirroring;

select-src-port is outbound traffic mirroring;

output-port is place of traffic redirection.

To cancel mirroring, run the command:

sudo ovs-vsctl remove Bridge ovs-sw0 mirrors mymirror