Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 18. Port mirroring

Network administrators can use port mirroring to replicate inbound and outbound network traffic being communicated from one network device to another. Administrators use port mirroring to monitor network traffic and collect network data to:

  • Debug networking issues and tune the network flow
  • Inspect and analyze the network traffic to troubleshoot networking problems
  • Detect an intrusion

18.1. Mirroring a network interface using nmcli

You can configure port mirroring using NetworkManager. The following procedure mirrors the network traffic from enp1s0 to enp7s0 by adding Traffic Control (tc) rules and filters to the enp1s0 network interface.

Prerequisites

  • A network interface to mirror the network traffic to.

Procedure

  1. Add a network connection profile you want to mirror the network traffic from:

    # nmcli connection add type ethernet ifname enp1s0 con-name enp1s0 autoconnect no
  2. Attach prio qdisc to enp1s0 for the egress (outgoing) traffic with handle '10:'. The 'prio' qdisc attached without children allows attaching filters.

    # nmcli connection modify enp1s0 +tc.qdisc "root prio handle 10:"
  3. Add a qdisc for the ingress traffic, with handle 'ffff:'.

    # nmcli connection modify enp1s0 +tc.qdisc "ingress handle ffff:"
  4. To match packets on the ingress and egress qdiscs and to mirror them to another interface, add the following filters.

    # nmcli connection modify enp1s0 +tc.tfilter "parent ffff: matchall action mirred egress mirror dev mirror-of-enp1s0"
    
    # nmcli connection modify enp1s0 +tc.tfilter "parent 10: matchall action mirred egress mirror dev mirror-of-enp1s0"

    The matchall filter matches all packets and the mirred action redirects packets to destination.

  5. Activate the connection:

    # nmcli connection up enp1s0

Verification steps

  1. Install the tcpdump utility:

    # yum install tcpdump
  2. View the traffic mirrored on the target device (mirror-of-enp1s0):

    # tcpdump -i enp7s0

18.2. Additional resources (or Next steps)