Missing mirrored/SPAN traffic inside VM on Proxmox VE 9

K

kokthay

Member
Sep 2, 2021
1
0
21
26
Hello,

I would like to report a problem I am facing with Proxmox VE 9.

I am using Proxmox VE 9 to create a VM for capturing mirrored traffic coming from Cisco SPAN and FortiGate. SPAN (Switched Port Analyzer) is a port mirroring feature that copies network traffic from one or more source ports/VLANs to a destination port for monitoring and packet capture.
My setup is as follows:
  • I created a vmbr bridge in Proxmox.
  • That bridge is attached to the physical NIC connected to the destination SPAN port from the switch or FortiGate.
  • A VM is attached to that vmbr.
  • Inside the VM, I use tcpdump to capture the mirrored traffic.
The problem is that the traffic captured inside the VM is incomplete:
  • Some packets are missing.
  • I often see only one direction of traffic instead of both RX and TX.
  • A large amount of mirrored traffic does not appear in the VM capture.
At first, I thought the problem came from the switch SPAN configuration, so I moved the mirror source to FortiGate instead. However, the same issue still happens. Then I tested capturing directly on the Proxmox host using tcpdump on the physical NIC, and in that case I can see the full mirrored traffic correctly. So the issue seems to happen only when the mirrored traffic is passed through Proxmox to the VM.

I am not sure about the real cause, but I suspect the Proxmox host or kernel may be dropping or filtering mirrored traffic before it reaches the VM.

Has anyone seen this behavior before on Proxmox VE? Are there any settings related to Linux bridge, NIC offloading, promiscuous mode, packet filtering, or VM virtual NIC type that I should check?


Thank you.
 
I'm using a VM for traffic capturing, but I haven't attached the NIC to any vmbr, I've just directly added the raw PCI device (NIC) to the VM. Works as fine as it possibly can when talking about SPAN.
 
Last edited:
kokthay said:
Hello,

I would like to report a problem I am facing with Proxmox VE 9.

I am using Proxmox VE 9 to create a VM for capturing mirrored traffic coming from Cisco SPAN and FortiGate. SPAN (Switched Port Analyzer) is a port mirroring feature that copies network traffic from one or more source ports/VLANs to a destination port for monitoring and packet capture.
My setup is as follows:
  • I created a vmbr bridge in Proxmox.
  • That bridge is attached to the physical NIC connected to the destination SPAN port from the switch or FortiGate.
  • A VM is attached to that vmbr.
  • Inside the VM, I use tcpdump to capture the mirrored traffic.
The problem is that the traffic captured inside the VM is incomplete:
  • Some packets are missing.
  • I often see only one direction of traffic instead of both RX and TX.
  • A large amount of mirrored traffic does not appear in the VM capture.
At first, I thought the problem came from the switch SPAN configuration, so I moved the mirror source to FortiGate instead. However, the same issue still happens. Then I tested capturing directly on the Proxmox host using tcpdump on the physical NIC, and in that case I can see the full mirrored traffic correctly. So the issue seems to happen only when the mirrored traffic is passed through Proxmox to the VM.

I am not sure about the real cause, but I suspect the Proxmox host or kernel may be dropping or filtering mirrored traffic before it reaches the VM.

Has anyone seen this behavior before on Proxmox VE? Are there any settings related to Linux bridge, NIC offloading, promiscuous mode, packet filtering, or VM virtual NIC type that I should check?


Thank you.
Click to expand...
Hi,

You need openvswitch instead of linux native bridges (https://pve.proxmox.com/wiki/Open_vSwitch) to get a working port mirroring (https://docs.openvswitch.org/en/latest/faq/configuration/).

Regards,

Christophe.
 
Last edited:
You must log in or register to reply here.
Top Bottom
Back