Port mirroring

Port mirroring in Linux is currently only supported via the DSA framework, controlled by tc.

Requirements

The ip and tc tools, both from the iproute package
The following kernel schedulers/classifiers, typically compiled as kernel modules:
- sch_ingress
- cls_matchall
- act_mirred

Setup

p2 is connected to some network that can generate traffic, for example you can ping the DUT via this port.
p5 is the mirror port. We will send all traffic in/out p2 to this port as well. It should be connected to a monitoring station, which sniffs traffic on the interface connected to p5

Commands

Turn on the mirror port:

ip link set up dev p5

Add the clsact queue discipline. This qdisc lets us attach the matchall filter:

tc qdisc add dev p2 clsact

Mirror all packets inbound on p2 (ingress) to p5. Note the skip_sw flag, meaning this command will not fall back on mirroring via the CPU if the hardware offload fails:

tc filter add dev p2 ingress matchall skip_sw action mirred egress mirror dev p5

Mirror all packets going out of p2 (egress) to p5:

tc filter add dev p2 egress matchall skip_sw action mirred egress mirror dev p5

Pastable version

ip link set up dev p5
tc qdisc add dev p2 clsact
tc filter add dev p2 ingress matchall skip_sw action mirred egress mirror dev p5
tc filter add dev p2 egress matchall skip_sw action mirred egress mirror dev p5

References

David Waiting's excellent post