Logicalwebhost Cheatsheet

Linux & Open Source Cheatsheets & Howto's

network TAP / mirror ports

If you need to run monitoring equipment looking for threats or whatever on your network, you need to have a way to get a copy of the traffic flowing through a switch or router to your monitoring doo-dad, usually either a Linux server or Linux-based appliance. If you were hooking up an IDS, you’d want a mirror port somewhere tied via Cat5/6 cable to your server which would listen on a spare ethernet port configured to just listen (which is also called promiscuous mode).

It can be tricky to get your router to create a mirror port, or SPAN port in Cisco world, but you have to select a SOURCE port or ports, and ask the switch/router to copy those packets to your DESTINATION port, which will hook back into your network monitoring thing

References:

using tc:

http://serverfault.com/questions/225178/copying-packets-from-an-interface-to-another

basic linux bridge config:

http://sethsec.blogspot.com/2014/01/i-just-wanted-to.html

Setting up a virtual linux switch with mirroring (advanced):

Port mirroring with Linux bridges

commercial tap thing:

http://wiki.networksecuritytoolkit.org/index.php/Multi-Tap_Network_Packet_Capturing

Introduction

I got tired of trying to remember all this stuff so I put it in a wiki, but dirtbag spammers constantly beat on it, so I'm trying a blog format. Use it if you find it useful...Got questions or subjects for new howto's? Drop me a line here

M	T	W	T	F	S	S
« May
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Logicalwebhost Cheatsheet

network TAP / mirror ports

Introduction

Pages

Archive

Tags

Categories

Meta