tag:blogger.com,1999:blog-7593869097771279598.post7038119621662474118..comments2021-02-20T01:41:48.169-08:00Comments on Geert Jansen: Network security monitoring with KVMAnonymoushttp://www.blogger.com/profile/13769371372370991584noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-7593869097771279598.post-35740699200137926312021-02-20T01:41:48.169-08:002021-02-20T01:41:48.169-08:00Thank you for this article.
I wonder if it is pos...Thank you for this article. <br />I wonder if it is possible to mirror non IP packets (layer 2 frames)?<br />Things like LLDP, LACP and BPDUhellthttps://www.blogger.com/profile/06634397449340499250noreply@blogger.comtag:blogger.com,1999:blog-7593869097771279598.post-3632483358278678092014-06-03T02:34:15.094-07:002014-06-03T02:34:15.094-07:00Thank you so much for the wonderful explanation! I...Thank you so much for the wonderful explanation! I am looking for something similiar with the difference being i also want to send out pkts on the mirrored interface (in your example - vnet0) out to some IP address in the same LAN. <br />Essentially do this for multiple machines that i want to monitor and capture all their traffic to this one machine that can analyze this traffic. I guess i would have to change the destination IP right? <br />Any ideas/thoughts on how to do that ? Can it be done ?<br />Thanks in advancesmirnonhttps://www.blogger.com/profile/16721602235840469009noreply@blogger.comtag:blogger.com,1999:blog-7593869097771279598.post-58796130792856366602012-06-28T08:29:11.287-07:002012-06-28T08:29:11.287-07:00Thank you so much for this explanation... I was l...Thank you so much for this explanation... I was looking for something similar to this, and you are the first who has been able to explain this in a way that makes sense.<br /><br />I'll give you the scenario:<br />-Two bonded connections<br />-802.1q VLANs on the bond<br />-Needed to mirror traffic from one of those vlans.<br /><br />Normally, in a non-redundant non-vlan scenario, I'd just pull that off of a span on the switch. That wasn't going to work in this case.<br /><br />I looked at iptables, I looked at bridges, and nothing I saw seemed to be able to do this out of the box on CentOS/RHEL 6.<br /><br />Thanks to this guide, I was able to set up mirrored traffic from the bonded vlan to a free physical port, and it works wonderfully.<br /><br />I'm using something like this to automate the parent discovery:<br /><br />PARENT=`tc qdisc show dev bond0.1203 | grep prio | cut -d ' ' -f 3`<br />tc filter add dev bond0.1203 parent $PARENT \<br /> protocol ip u32 match u8 0 0 \<br /> action mirred egress mirror dev em2<br /><br />I'll eventually have a mirror $src $dest script.Anonymoushttps://www.blogger.com/profile/15778782184389091892noreply@blogger.comtag:blogger.com,1999:blog-7593869097771279598.post-52830434456618766682011-08-10T08:43:41.123-07:002011-08-10T08:43:41.123-07:00What if I wanted to monitor everything received by...What if I wanted to monitor everything received by the kvm bridge and not another VM guest? I want to take all the pkts received by br0 on the host & forward them to my security appliance. In vmware esx, I just choose the 'Pro 192.10.16.x' Network. I don't really want to monitor a particular VM as much as I want to monitor the entire subnet.Joy Leimahttps://www.blogger.com/profile/08215916909518804971noreply@blogger.com