[SOLVED] Linux bridge port mirror using tc (only receiving broadcast traffic)

J

Jeroen Rijken

Member
Sep 24, 2018
2
1
6
30
Hi all,

I'm following up on this thread: https://forum.proxmox.com/threads/deploying-security-onion-proxmox-port-mirroring.37036/

I'm trying to create a port mirror from one linux bridge to another using tc, but I'm only receiving broadcast traffic (mostly ARP and some DHCP). I basically followed the guide written by backreference in 2014 (can't post link) called "port mirroring with linux bridges".


This is my interface file:
Code: 
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage part of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

allow-hotplug eth1
allow-hotplug eth1

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
    address  10.5.0.1
    netmask  255.255.0.0
    bridge-ports eth0
    bridge-stp off
    bridge-fd 0
    dns-nameserver 10.5.0.2
    dns-search summercamp.local
#LAN (intern)

auto vmbr1
iface vmbr1 inet manual
    bridge-ports eth1
    bridge-stp off
    bridge-fd 0
#WAN (extern)

auto vmbr2
iface vmbr2 inet manual
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    up ip link set $IFACE promisc on
    post-up /etc/network/mirror.d/mirror-up.sh
    pre-down /etc/network/mirror.d/mirror-down.sh
    down ip link set $IFACE promisc off
# Mirror voor LAN

These are the two code files:
mirror-up.sh
Code: 
#!/bin/sh
sif=vmbr0
dif=vmbr2

# ingress
tc qdisc add dev "$sif" ingress
tc filter add dev "$sif" parent ffff: \
        protocol all \
        u32 match u8 0 0 \
        action mirred egress mirror dev "$dif"

# egress
tc qdisc add dev "$sif" handle 1: root prio
tc filter add dev "$sif" parent 1: \
        protocol all \
        u32 match u8 0 0 \
        action mirred egress mirror dev "$dif"

mirror-down.sh
Code: 
#!/bin/sh
sif=vmbr0

tc qdisc del dev $sif ingress
tc qdisc del dev $sif root

I don't understand why I'm only receiving broadcast traffic when I connect a machine to vmbr2. I'm guessing it has something to do with the tunnel interfaces, but I'm not sure. Even when I mirror vmbr0 directly to tap160i0 I only see broadcast traffic.
 
You must log in or register to reply here.
Top Bottom