Port mirroring

Port mirroring in Linux is currently only supported via the DSA framework, controlled by tc.

• The ip and tc tools, both from the iproute package
• The following kernel schedulers/classifiers, typically compiled as kernel modules:
  • sch_ingress
  • cls_matchall
  • act_mirred

• p2 is connected to some network that can generate traffic, for example you can ping the DUT via this port.
• p5 is the mirror port. We will send all traffic in/out p2 to this port as well. It should be connected to a monitoring station, which sniffs traffic on the interface connected to p5

Turn on the mirror port:

ip link set up dev p5

Add the clsact queue discipline. This qdisc lets us attach the matchall filter:

tc qdisc add dev p2 clsact

Mirror all packets inbound on p2 (ingress) to p5. Note the skip_sw flag, meaning this command will not fall back on mirroring via the CPU if the hardware offload fails:

tc filter add dev p2 ingress matchall skip_sw action mirred egress mirror dev p5

Mirror all packets going out of p2 (egress) to p5:

tc filter add dev p2 egress matchall skip_sw action mirred egress mirror dev p5

ip link set up dev p5
tc qdisc add dev p2 clsact
tc filter add dev p2 ingress matchall skip_sw action mirred egress mirror dev p5
tc filter add dev p2 egress matchall skip_sw action mirred egress mirror dev p5

• David Waiting's excellent post