[SOLVED] Linux bridge port mirror using tc (only receiving broadcast traffic)

Jeroen Rijken

Member
Sep 24, 2018
2
1
6
29
Hi all,

I'm following up on this thread: https://forum.proxmox.com/threads/deploying-security-onion-proxmox-port-mirroring.37036/

I'm trying to create a port mirror from one linux bridge to another using tc, but I'm only receiving broadcast traffic (mostly ARP and some DHCP). I basically followed the guide written by backreference in 2014 (can't post link) called "port mirroring with linux bridges".


This is my interface file:
Code:
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage part of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

allow-hotplug eth1
allow-hotplug eth1

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
    address  10.5.0.1
    netmask  255.255.0.0
    bridge-ports eth0
    bridge-stp off
    bridge-fd 0
    dns-nameserver 10.5.0.2
    dns-search summercamp.local
#LAN (intern)

auto vmbr1
iface vmbr1 inet manual
    bridge-ports eth1
    bridge-stp off
    bridge-fd 0
#WAN (extern)

auto vmbr2
iface vmbr2 inet manual
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    up ip link set $IFACE promisc on
    post-up /etc/network/mirror.d/mirror-up.sh
    pre-down /etc/network/mirror.d/mirror-down.sh
    down ip link set $IFACE promisc off
# Mirror voor LAN

These are the two code files:
mirror-up.sh
Code:
#!/bin/sh
sif=vmbr0
dif=vmbr2

# ingress
tc qdisc add dev "$sif" ingress
tc filter add dev "$sif" parent ffff: \
        protocol all \
        u32 match u8 0 0 \
        action mirred egress mirror dev "$dif"

# egress
tc qdisc add dev "$sif" handle 1: root prio
tc filter add dev "$sif" parent 1: \
        protocol all \
        u32 match u8 0 0 \
        action mirred egress mirror dev "$dif"

mirror-down.sh
Code:
#!/bin/sh
sif=vmbr0

tc qdisc del dev $sif ingress
tc qdisc del dev $sif root

I don't understand why I'm only receiving broadcast traffic when I connect a machine to vmbr2. I'm guessing it has something to do with the tunnel interfaces, but I'm not sure. Even when I mirror vmbr0 directly to tap160i0 I only see broadcast traffic.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!