Pulling my hair out trying to get port mirror to work

[noak]

Hey Folks,

I have a proxmox server with 2 NIC cards. My goal is to utilize the 2nd NIC card as a mirrored port to dump my network packets into a VM.

I have setup the port mirror on my switch properly. I believe I have setup the port mirror on proxmox properly following a guide (attached commands).

When I run TCPDUMP on the proxmox host directly on the NIC I can see the mirrored packets, I can also see the mirrored packets when I run tcpdump on the ovs bridge and the tap interface.

However, tcpdump on the VM (Freebsd os) does not show the packets. There are no firewalls enabled. I am stuck... can anyone please help?

Attaching file with config snippets from proxmox.

 

[LnxBil]

I'd passthrough the network device directly to the analysing VM, so that you do not need any configuration on PVE besides the passthrough. If you switch does port mirroring, all packages should already be there - no configuration necessary.

 

[noak]

How would I pass through the NIC directly? As far as I am aware, I need to add that network device into a proxmox virtual bridge and then assign the virtual bridge to the VM.

 

[LnxBil]

How would I pass through the NIC directly?

https://pve.proxmox.com/wiki/Pci_passthrough

As far as I am aware, I need to add that network device into a proxmox virtual bridge and then assign the virtual bridge to the VM.

Should work too, but with OVS it's more complicated, because it is a "real" switch in hardware, so that you have to configure that one too. If you'd use a "ordinary" linux bridge, it should work out-of-the-box.

 

[noak]

I originally tried it with the linux bridge by turning it into a hub (setting timer to 0). But that did not work either. I will look into the pci passthrough.

 

[morph027]

Once upon a time i've been using daemonlogger for this (sending all incoming traffic to a Snort VM) which worked quite good.