September 21, 2021

network TAP / mirror ports

If you need to run monitoring equipment looking for threats or whatever on your network, you need to have a way to get a copy of the traffic flowing through a switch or router to your monitoring doo-dad, usually either a Linux server or Linux-based appliance. If you were hooking up an IDS, you’d want a mirror port somewhere tied via Cat5/6 cable to your server which would listen on a spare ethernet port configured to just listen (which is also called promiscuous mode).

It can be tricky to get your router to create a mirror port, or SPAN port in Cisco world, but you have to select a SOURCE port or ports, and ask the switch/router to copy those packets to your DESTINATION port, which will hook back into your network monitoring thing

References:

using tc:

http://serverfault.com/questions/225178/copying-packets-from-an-interface-to-another

basic linux bridge config:

http://sethsec.blogspot.com/2014/01/i-just-wanted-to.html

Setting up a virtual linux switch with mirroring (advanced):

Port mirroring with Linux bridges

commercial tap thing:

http://wiki.networksecuritytoolkit.org/index.php/Multi-Tap_Network_Packet_Capturing