Menu Close
Settings Close

Language and Page Formatting Options

Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 17. Port mirroring

Network administrators can use port mirroring to replicate inbound and outbound network traffic being communicated from one network device to another. Administrators use port mirroring to monitor network traffic and collect network data to:

  • Debug networking issues and tune the network flow
  • Inspect and analyze the network traffic to troubleshoot networking problems
  • Detect an intrusion

17.1. Mirroring a network interface using nmcli

You can configure port mirroring using NetworkManager. The following procedure mirrors the network traffic from enp1s0 to enp7s0 by adding Traffic Control (tc) rules and filters to the enp1s0 network interface.

Prerequisites

  • A network interface to mirror the network traffic to.

Procedure

  1. Add a network connection profile that you want to mirror the network traffic from:

    # nmcli connection add type ethernet ifname enp1s0 con-name enp1s0 autoconnect no
  2. Attach a prio qdisc to enp1s0 for the egress (outgoing) traffic with the 10: handle:

    # nmcli connection modify enp1s0 +tc.qdisc "root prio handle 10:"

    The prio qdisc attached without children allows attaching filters.

  3. Add a qdisc for the ingress traffic, with the ffff: handle:

    # nmcli connection modify enp1s0 +tc.qdisc "ingress handle ffff:"
  4. Add the following filters to match packets on the ingress and egress qdiscs, and to mirror them to enp7s0:

    # nmcli connection modify enp1s0 +tc.tfilter "parent ffff: matchall action mirred egress mirror dev enp7s0"
    
    # nmcli connection modify enp1s0 +tc.tfilter "parent 10: matchall action mirred egress mirror dev enp7s0"

    The matchall filter matches all packets, and the mirred action redirects packets to destination.

  5. Activate the connection:

    # nmcli connection up enp1s0

Verification steps

  1. Install the tcpdump utility:

    # yum install tcpdump
  2. Display the traffic mirrored on the target device (enp7s0):

    # tcpdump -i enp7s0