[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Port mirroring and promiscuous mode

  • To: "xen-users@xxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxx>
  • From: "Tarren, Jacob A. (LARC-B703)[LITES II]" <jacob.a.tarren@xxxxxxxx>
  • Date: Mon, 18 Apr 2016 22:26:35 +0000
  • Accept-language: en-US
  • Delivery-date: Mon, 18 Apr 2016 22:28:01 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>
  • Thread-index: AdGZnjvsOvO+hGi+Rx2YhrpZv/1KsAAMe2gAAAWLyQD//7LW6A==
  • Thread-topic: [Xen-users] Port mirroring and promiscuous mode

Oh, alright.  That makes sense; so I'll have to create a mirror with all the 
ports I'm interested in monitoring, and then put just the VIF of the IDS into 
promiscuous mode.

I'm having a hard time finding any good documentation on port mirroring with 
ovs-vsctl, specifically whether or not I need to explicitly define src-ports 
and dst-ports, and defining multiples of each.  It seems like I should just be 
able to set them both to "Anything on xenbr1", but I can't find the syntax for 
that.  I could always try 
...select-dst-port=@vif93.0 select-dst-port=@vif78.3 select-dst-port=@vif79.1...
and the same for src-port, but there's got to be a way to just specify the 
whole virtual network, is that what vifxenbr1 is?

Also, do you happen to know how vif69.3 compares to tap69.3?  Is that something 
that happened from when I was experimenting with promiscuous mode?

I'll also try asking over in the OpenVSwitch mailing list.  Maybe someone in 
there has more experience with what I'm attempting to do.

Jake Tarren

From: Xen-users [xen-users-bounces@xxxxxxxxxxxxx] on behalf of Simon Hobson 
Sent: Monday, April 18, 2016 4:51 PM
To: xen-users@xxxxxxxxxxxxx
Subject: Re: [Xen-users] Port mirroring and promiscuous mode

Austin S. Hemmelgarn <ahferroin7@xxxxxxxxx> wrote:

> I can't help much with the OpenVSwitch stuff

Ditto. It's one of those things I keep remembering I want to try out - but only 
remembering when I don't have any time to spend on it :-(

> but I can definitely try to help with the explanation of port mirroring 
> versus promiscuous mode and the VIF ID bits.
> Port mirroring usually refers to monitoring specific ports, and more 
> importantly, is done at a relatively high level in the network stack.

I think you have the wrong port there (pun intended).

In this case, it refers to the physical switch port - or virtualised version of 
it in virtual switch. It's done at the lowest level of the network stack (not 
sure if it's layer 1 or 2- definitely below layer 3).
It goes hand in hand with promiscuous mode, as the means to get all those 
network packets to the virtual NIC in the first place.

So typically it goes like this.

You designate a port on the switch as the monitoring port, and connect it to 
the NIC to be used for monitoring. You then configure which other port(s) on 
the switch are to be monitored (the monitored port(s)). All traffic then 
passing through a monitored port is copied out (mirrored) to the monitoring 
port. You now have a network port on the switch which spits out a copy of all 
traffic on the port(s) of interest.

As you correctly say, putting the (virtual) NIC into promiscuous mode allows it 
to receive ethernet frames that weren't directed to it - thus allowing sniffing 
of traffic that wouldn't otherwise ever be sent to that device, or accepted by 
it into the network stack if it were received.

The two go hand in hand - port mirroring is needed to get the packets to the 
NIC, promiscuous mode is needed for the NIC to accept them.

Xen-users mailing list

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.