[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Port mirroring and promiscuous mode
Oh, alright. That makes sense; so I'll have to create a mirror with all the ports I'm interested in monitoring, and then put just the VIF of the IDS into promiscuous mode. I'm having a hard time finding any good documentation on port mirroring with ovs-vsctl, specifically whether or not I need to explicitly define src-ports and dst-ports, and defining multiples of each. It seems like I should just be able to set them both to "Anything on xenbr1", but I can't find the syntax for that. I could always try ...select-dst-port=@vif93.0 select-dst-port=@vif78.3 select-dst-port=@vif79.1... and the same for src-port, but there's got to be a way to just specify the whole virtual network, is that what vifxenbr1 is? Also, do you happen to know how vif69.3 compares to tap69.3? Is that something that happened from when I was experimenting with promiscuous mode? I'll also try asking over in the OpenVSwitch mailing list. Maybe someone in there has more experience with what I'm attempting to do. ________________________________ Thanks, Jake Tarren ________________________________________ From: Xen-users [xen-users-bounces@xxxxxxxxxxxxx] on behalf of Simon Hobson [simon@xxxxxxxxxxxxxxxx] Sent: Monday, April 18, 2016 4:51 PM To: xen-users@xxxxxxxxxxxxx Subject: Re: [Xen-users] Port mirroring and promiscuous mode Austin S. Hemmelgarn <ahferroin7@xxxxxxxxx> wrote: > I can't help much with the OpenVSwitch stuff Ditto. It's one of those things I keep remembering I want to try out - but only remembering when I don't have any time to spend on it :-( > but I can definitely try to help with the explanation of port mirroring > versus promiscuous mode and the VIF ID bits. > > Port mirroring usually refers to monitoring specific ports, and more > importantly, is done at a relatively high level in the network stack. I think you have the wrong port there (pun intended). In this case, it refers to the physical switch port - or virtualised version of it in virtual switch. It's done at the lowest level of the network stack (not sure if it's layer 1 or 2- definitely below layer 3). It goes hand in hand with promiscuous mode, as the means to get all those network packets to the virtual NIC in the first place. So typically it goes like this. You designate a port on the switch as the monitoring port, and connect it to the NIC to be used for monitoring. You then configure which other port(s) on the switch are to be monitored (the monitored port(s)). All traffic then passing through a monitored port is copied out (mirrored) to the monitoring port. You now have a network port on the switch which spits out a copy of all traffic on the port(s) of interest. As you correctly say, putting the (virtual) NIC into promiscuous mode allows it to receive ethernet frames that weren't directed to it - thus allowing sniffing of traffic that wouldn't otherwise ever be sent to that device, or accepted by it into the network stack if it were received. The two go hand in hand - port mirroring is needed to get the packets to the NIC, promiscuous mode is needed for the NIC to accept them. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |