Mirror one eth interface to another

seamant · November 14, 2023, 7:54pm

Hello! I encountered the following problem. I’m setting up a virtual laboratory that should have the following topology

192.168.1.3 - user virtual machine.
192.168.2.5 - virtual machine with Snort and Wireshark (Monitor)

I want to monitor all traffic from eth1 using a virtual machine with Wireshark

I have configured VyOS interfaces. VyOS sees both virtual machines. The user virtual machine is configured with port forwarding so that it can access the Internet via VyOS.
I’m using VyOS 1.2.9, port configuration is below:

However, Wireshark does not see any packets on the interface that connects VyOS and the monitor virtual machine

Maybe I should change the way I send traffic?

blex · November 14, 2023, 11:01pm

My best guess would be put both interface in a bridge.

blex · November 14, 2023, 11:05pm

I think this is the solution You where serchin.

BG Alexander

seamant · November 15, 2023, 6:21am

@blex Port mirroring already configured (VyOS config screenshot), but still there is no packages

Viacheslav · November 15, 2023, 6:25am

Check the dump on VyOS site
“monitor traffic interface ethX”
Maybe old 1.2.9 had some bugs

seamant · November 15, 2023, 1:43pm

I thought for a bit. If I ping monitor IP - Wireshark sees these packets. It looks like they came from the VyOS interface, since they had a destination address that matches the address of the monitor. Then how can I force the VyOS interface to forward ALL traffic that comes to this interface to the monitor’s IP address?

At the same time, I need to save the original source address and destination address

JeffWDH · November 15, 2023, 1:52pm

When I want to monitor an interface I usually do something like this from the PC that has Wireshark installed:

Windows:
ssh user@vyos sudo tcpdump -i eth1.105 -U -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

Linux:
ssh user@vyos sudo tcpdump -i eth0 -U -s0 -w - 'not port 22' | wireshark -k -i -

You can add to the filters too if you want to exclude more traffic, ie. ‘not port 22 and dst 192.168.1.5 or src 192.168.1.5’

16again · November 19, 2023, 8:05am

Look at your hypervisor settings. Could be sending packets originating from different MAC addresses than NIC itself is blocked

seamant · November 19, 2023, 6:43pm

Thanks! I changed the settings in the hypervisor and the packets became visible when using Wireshark

system · December 19, 2023, 6:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.