I’m preparing a virtual laboratory for IDS and Honeypot testing that will be running on my OpenNebula private cloud. In the following diagram you can see that I want my IDS (sherlock) to inspect traffic from/to my Vyatta firewall so I’ll do that configuring port mirroring, thanks to openvswitch impressive functionalities. (I’ve used Dia for creating this diagram, what a great tool!).
My N40L server has only one physical ethernet interface (eth0) and I’ve already created an openvswitch bridge called br0 which is associated to eth0.
In OpenNebula I’ve configured one virtual network called inet which is assigned to br0. Watson (my vyatta router) and Sherlock (my OSSIM machine full of sensors) have one interface attached to inet/br0: vnet2 and vnet0 respectively.
#ovs-vsctl show
...
Bridge "br0"
Port "vnet2"
Interface "vnet2"
Port "eth0"
Interface "eth0"
Port "vnet0"
Interface "vnet0"
Port "br0"
Interface "br0"
type: internal
OK. Now, according to ovs-vsctl man page, if I want the vnet2’s traffic to be mirrored onto vnet0 I’ll run this command:
#ovs-vsctl -- set Bridge br0 mirrors=@m \
-- --id=@vnet0 get Port vnet0 \
-- --id=@vnet2 get Port vnet2 \
-- --id=@m create Mirror name=mymirror select-dst-port=@vnet0 select-src-port=@vnet0 output-port=@vnet2
b74eaf43-92ca-48f5-9fe6-9a561a9937dd // the mirror id
#ovs-vsctl list Bridge br0
_uuid : e3e03141-9754-489b-b4b8-17de2f063b44
controller : []
datapath_id : "0000009c029752bd"
datapath_type : ""
external_ids : {}
fail_mode : []
flood_vlans : []
flow_tables : {}
mirrors : [b74eaf43-92ca-48f5-9fe6-9a561a9937dd] // The mirror id is the one shown after the previous command<strong>
</strong>
I checked that as soon as the mirror was set, my tcpdump started showing traffic sent to my firewall so that’s what I exactly wanted 😀
If you want to stop the mirror you can use:
# ovs-vsctl clear Bridge br0 mirrors
Well, ovs-vsctl man page is full of info so if I find more interesting things I’ll let you know.
Hi,
I have a question. when I add the eth0 interface to my bridge br0, the outside connectivity goes. In that case how will I send and check the traffic ?
Thanks
vnm
LikeLike
Hi,
first of all I’m sorry I haven’t answered you before but I’ve been away from the keyboard for a few days.
If you only have one physical nic (eth0) to the bridge br0 and you create a mirror on it, I think it most probably won’t work. If you prefer you can try to contact me by mail, Google Talk or Skype and you could try to give me more information about what you’re trying to configure. Please check my http://es.gravatar.com/n40lab, I’ll try to do my best to help you.
Miguel
LikeLike
Thanks Miguel for the reply. What time would be good to do skype / gtalk you ? Would it be ok to contact you on US time ? Meanwhile I will try to explain the steps I have done in a mail.
Thanks
Moorthy
LikeLike
My timezone is GMT + 1, and I usually try to be online most of the time 😀 but if you send me an email I’ll answer you as quickly as I can. Thanks for contacting me.
LikeLike
Hi,
in your post you said that you’ve done mirroring traffic from vnet2 into vnet0. I’m doing a research in this matter. However i want to do mirroring traffic between vm in server to Eth0. Can it possibly be done by using virtual switch? Thanks
LikeLike
Hi,
I guess that if you add the eth0 port to an openvswitch bridge, you could use it as a mirror source port/destiny port. If you look at the man page for ovs-vsctl you have an example where traffic for two interfaces are mirrored into one interface. I haven’t tested a more complex configuration, but I’m always willing to learn please try to contact me.
Regards,
Miguel
LikeLike
I think i have the same question with mr.moorthy. Can I join the discussion?
LikeLike
Hi,
Have you tried the same in OpenStack Environment?
Thanks,
Vasu.
LikeLike
Hi Vasu,
no I haven’t tried, I’m afraid I don’t use OpenStack,
Cheers
LikeLike
Hi ,
I tried on openstack.On above cmd for vnet0’s traffic to be mirrored onto vnet2. not for vnet2’s traffic to be mirrored onto vnet0.
Just You interchanged the ports
LikeLike
Thanks for your feedback, it’ll help any user that comes by looking for OpenStack’s mirroring.
LikeLike