Mirror one eth interface to another

Hello! I encountered the following problem. I’m setting up a virtual laboratory that should have the following topology - user virtual machine. - virtual machine with Snort and Wireshark (Monitor)

I want to monitor all traffic from eth1 using a virtual machine with Wireshark

I have configured VyOS interfaces. VyOS sees both virtual machines. The user virtual machine is configured with port forwarding so that it can access the Internet via VyOS.
I’m using VyOS 1.2.9, port configuration is below:

However, Wireshark does not see any packets on the interface that connects VyOS and the monitor virtual machine

Maybe I should change the way I send traffic?

My best guess would be put both interface in a bridge.

I think this is the solution You where serchin.

BG Alexander

@blex Port mirroring already configured (VyOS config screenshot), but still there is no packages

Check the dump on VyOS site
“monitor traffic interface ethX”
Maybe old 1.2.9 had some bugs

I thought for a bit. If I ping monitor IP - Wireshark sees these packets. It looks like they came from the VyOS interface, since they had a destination address that matches the address of the monitor. Then how can I force the VyOS interface to forward ALL traffic that comes to this interface to the monitor’s IP address?

At the same time, I need to save the original source address and destination address

When I want to monitor an interface I usually do something like this from the PC that has Wireshark installed:

ssh user@vyos sudo tcpdump -i eth1.105 -U -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

ssh user@vyos sudo tcpdump -i eth0 -U -s0 -w - 'not port 22' | wireshark -k -i -

You can add to the filters too if you want to exclude more traffic, ie. ‘not port 22 and dst or src’

Look at your hypervisor settings. Could be sending packets originating from different MAC addresses than NIC itself is blocked

1 Like

Thanks! I changed the settings in the hypervisor and the packets became visible when using Wireshark

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.