Chapter 14. Port mirroring
Network administrators can use port mirroring to replicate inbound and outbound network traffic being communicated from one network device to another. Administrators use port mirroring to monitor network traffic and collect network data to:
- Debug networking issues and tune the network flow
- Inspect and analyze the network traffic to troubleshoot networking problems
- Detect an intrusion
14.1. Mirroring a network interface using nmcli
You can configure port mirroring using NetworkManager. The following procedure mirrors the network traffic from
enp7s0 by adding Traffic Control (
tc) rules and filters to the
enp1s0 network interface.
- A network interface to mirror the network traffic to.
Add a network connection profile that you want to mirror the network traffic from:
# nmcli connection add type ethernet ifname enp1s0 con-name enp1s0 autoconnect no
enp1s0for the egress (outgoing) traffic with the
# nmcli connection modify enp1s0 +tc.qdisc "root prio handle 10:"
qdiscattached without children allows attaching filters.
qdiscfor the ingress traffic, with the
# nmcli connection modify enp1s0 +tc.qdisc "ingress handle ffff:"
Add the following filters to match packets on the ingress and egress
qdiscs, and to mirror them to
# nmcli connection modify enp1s0 +tc.tfilter "parent ffff: matchall action mirred egress mirror dev enp7s0" # nmcli connection modify enp1s0 +tc.tfilter "parent 10: matchall action mirred egress mirror dev enp7s0"
matchallfilter matches all packets, and the
mirredaction redirects packets to destination.
Activate the connection:
# nmcli connection up enp1s0
# dnf install tcpdump
Display the traffic mirrored on the target device (
# tcpdump -i enp7s0