June 15, 2024

network TAP / mirror ports

If you need to run monitoring equipment looking for threats or whatever on your network, you need to have a way to get a copy of the traffic flowing through a switch or router to your monitoring doo-dad, usually either a Linux server or Linux-based appliance. If you were hooking up an IDS, you’d want a mirror port somewhere tied via Cat5/6 cable to your server which would listen on a spare ethernet port configured to just listen (which is also called promiscuous mode).

It can be tricky to get your router to create a mirror port, or SPAN port in Cisco world, but you have to select a SOURCE port or ports, and ask the switch/router to copy those packets to your DESTINATION port, which will hook back into your network monitoring thing


using tc:


basic linux bridge config:


Setting up a virtual linux switch with mirroring (advanced):

Port mirroring with Linux bridges

commercial tap thing: