Re: [Xen-users] Port mirroring and promiscuous mode

["Tarren, Jacob A. (LARC-B703)[LITES II]" <jacob.a.tarren@xxxxxxxx>]

I¹ve figured it out:

ovs-vsctl -- --id=@p get port vif104.1 -- --id=@m create mirror name=m0
select-all=true output-port=@p -- set bridge xenbr1 mirrors=@m

I¹ll need to switch from using port vif104.1 to using vifname, but other
than that this works perfectly.  The best part is that it uses the xenbr1
network that xen manages, so I shouldn¹t have to adjust src-port or
dst-port as other VMs reboot.


On 4/18/16, 6:26 PM, "Tarren, Jacob A. (LARC-B703)[LITES II]"
<jacob.a.tarren@xxxxxxxx> wrote:

>Oh, alright.  That makes sense; so I'll have to create a mirror with all
>the ports I'm interested in monitoring, and then put just the VIF of the
>IDS into promiscuous mode.
>
>I'm having a hard time finding any good documentation on port mirroring
>with ovs-vsctl, specifically whether or not I need to explicitly define
>src-ports and dst-ports, and defining multiples of each.  It seems like I
>should just be able to set them both to "Anything on xenbr1", but I can't
>find the syntax for that.  I could always try
>...select-dst-port=@vif93.0 select-dst-port=@vif78.3
>select-dst-port=@vif79.1...
>and the same for src-port, but there's got to be a way to just specify
>the whole virtual network, is that what vifxenbr1 is?
>
>Also, do you happen to know how vif69.3 compares to tap69.3?  Is that
>something that happened from when I was experimenting with promiscuous
>mode?
>
>I'll also try asking over in the OpenVSwitch mailing list.  Maybe someone
>in there has more experience with what I'm attempting to do.
>
>________________________________
>Thanks,
>Jake Tarren
>
>________________________________________
>From: Xen-users [xen-users-bounces@xxxxxxxxxxxxx] on behalf of Simon
>Hobson [simon@xxxxxxxxxxxxxxxx]
>Sent: Monday, April 18, 2016 4:51 PM
>To: xen-users@xxxxxxxxxxxxx
>Subject: Re: [Xen-users] Port mirroring and promiscuous mode
>
>Austin S. Hemmelgarn <ahferroin7@xxxxxxxxx> wrote:
>
>> I can't help much with the OpenVSwitch stuff
>
>Ditto. It's one of those things I keep remembering I want to try out -
>but only remembering when I don't have any time to spend on it :-(
>
>> but I can definitely try to help with the explanation of port mirroring
>>versus promiscuous mode and the VIF ID bits.
>>
>> Port mirroring usually refers to monitoring specific ports, and more
>>importantly, is done at a relatively high level in the network stack.
>
>I think you have the wrong port there (pun intended).
>
>In this case, it refers to the physical switch port - or virtualised
>version of it in virtual switch. It's done at the lowest level of the
>network stack (not sure if it's layer 1 or 2- definitely below layer 3).
>It goes hand in hand with promiscuous mode, as the means to get all those
>network packets to the virtual NIC in the first place.
>
>So typically it goes like this.
>
>You designate a port on the switch as the monitoring port, and connect it
>to the NIC to be used for monitoring. You then configure which other
>port(s) on the switch are to be monitored (the monitored port(s)). All
>traffic then passing through a monitored port is copied out (mirrored) to
>the monitoring port. You now have a network port on the switch which
>spits out a copy of all traffic on the port(s) of interest.
>
>As you correctly say, putting the (virtual) NIC into promiscuous mode
>allows it to receive ethernet frames that weren't directed to it - thus
>allowing sniffing of traffic that wouldn't otherwise ever be sent to that
>device, or accepted by it into the network stack if it were received.
>
>The two go hand in hand - port mirroring is needed to get the packets to
>the NIC, promiscuous mode is needed for the NIC to accept them.
>
>
>_______________________________________________
>Xen-users mailing list
>Xen-users@xxxxxxxxxxxxx
>http://lists.xen.org/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users