This is an old revision of the document!
Port mirroring
Port mirroring in Linux is currently only supported via the DSA framework, controlled by tc
.
Requirements
- The
ip
andtc
tools, both from theiproute
package - The following kernel schedulers/classifiers, typically compiled as kernel modules:
- cls_u32
- sch_ingress
- sch_prio
- act_mirred
Setup
- p2 is connected to some network that can generate traffic, for example you can ping the DUT via this port.
- p5 is the mirror port. We will send all traffic in/out p2 to this port as well. It should be connected to a monitoring station, which sniffs traffic on the interface connected to p5
Commands
Turn on the mirror port:
# ip link set up dev p5 [ 47.743894] rtl83xx_port_enable: 87f85880 8 [ 47.743918] rtl83xx_port_stp_state_set: port 8 state 3 [ 47.867406] rtl83xx-switch switch@bb000000 p5: configuring for phy/internal link mode [ 47.970271] rtl83xx_phylink_mac_config port 8, mode 0 [ 48.036612] PHY autonegotiates [ 48.077097] 8021q: adding VLAN 0 to HW filter on device p5 [ 48.149147] rtl83xx_vlan_prepare: port 8 [ 48.200645] VLAN 0: L2 learning: 1, L2 Unknown MultiCast Field 1ff, IPv4 Unknown MultiCast Field 1ff, IPv6 Unknown MultiCast Field: 1ff [ 48.200664] Tagged ports 10000004, untag 1fffffff, prof 0, MC# 0, UC# 0, FID 0 [ 48.457819] rtl83xx_vlan_add port 8, vid_end 0, vid_end 0, flags 0 [ 48.538951] rtl83xx_vlan_prepare: port 28 [ 48.591505] VLAN 0: L2 learning: 1, L2 Unknown MultiCast Field 1ff, IPv4 Unknown MultiCast Field 1ff, IPv6 Unknown MultiCast Field: 1ff [ 48.591523] Tagged ports 10000104, untag 1fffffff, prof 0, MC# 0, UC# 0, FID 0 [ 48.848799] rtl83xx_vlan_add port 28, vid_end 0, vid_end 0, flags 0 [ 48.962341] RTL8380 Link change: status: 1, ports 100 [ 52.576650] RTL8380 Link change: status: 1, ports 100 [ 53.047671] rtl83xx_phylink_mac_config port 8, mode 0 [ 53.114032] PHY autonegotiates [ 53.154063] rtl83xx-switch switch@bb000000 p5: Link is Up - 1Gbps/Full - flow control rx/tx [ 53.263876] IPv6: ADDRCONF(NETDEV_CHANGE): p5: link becomes ready
Create an ingress queue discipline:
tc qdisc add dev p2 handle ffff: ingress
Mirror all packets matching the ingress queue discipline (qdisc) to p5:
tc filter add dev p2 parent ffff: protocol all matchall skip_sw action mirred egress mirror dev p5
Create an egress queue discipline (using the prio scheduler):
tc qdisc add dev p2 handle 1: root prio
Mirror all packets matching this qdisc to p5:
tc filter add dev p2 parent 1: protocol all matchall skip_sw action mirred egress mirror dev p5
Pastable version
ip link set up dev p5 tc qdisc add dev p2 handle ffff: ingress tc filter add dev p2 parent ffff: protocol all matchall skip_sw action mirred egress mirror dev p5 tc qdisc add dev p2 handle 1: root prio tc filter add dev p2 parent 1: protocol all matchall skip_sw action mirred egress mirror dev p5
References
- David Waiting's excellent post