Skip to content

Testing with mirred

Jump to bottom
ABC edited this page Oct 7, 2016 · 14 revisions

You can mirror traffic from one linux host to your test box using tc mirred action.

  • First create tunnel, IPIP example:
trafsource:~# ip tun add mtun mode ipip local 2.3.4.5 remote 1.2.3.4 dev eth0
trafsource:~# ip link set mtun up
trafsource:~# ip -s tun show mtun
   testbox:~# ip tun add mtun mode ipip local 1.2.3.4 remote 2.3.4.5 dev eth0
   testbox:~# ip link set mtun up
   testbox:~# ip -s tun show mtun

Change 1.2.3.4 and 2.3.4.5 to your real IP addresses. Note that no ip addr add or ip route add is required for just mirroring, (but you may add it for tunnel testing). Example:

trafsource:~# ip addr add dev mtun 10.13.2.1
trafsource:~# ip route add 10.13.1.0/24 dev mtun
   testbox:~# ip addr add dev mtun 10.13.1.1
   testbox:~# ip route add 10.13.2.0/24 dev mtun
trafsource:~# ping 10.13.2.1
   testbox:~# ping 10.13.1.1

You may wish to remove it after tunnel testing is done.

  • Next, mirror traffic into mtun device using tc action mirred. Example:
trafsource:~# tc qdisc add dev eth0 ingress
trafsource:~# tc filter add dev eth0 parent ffff: protocol ip \
                 prio 10 u32 match ip protocol 6 0xff flowid 1:2 \
                 action mirred egress mirror dev mtun
trafsource:~# tc -s filter ls dev eth0 parent ffff:

This mirrors ingress TCP (protocol 6) traffic from eth0 only. Be careful not to mirror any IP egress traffic from eth0 if mtun is also working over eth0, because you will get infinite loop, as IPIP is IP too, and it will start to mirror itself.

  • Finally, on the target box you should account in raw PREROUTING chain:
   testbox:~# iptables -t raw -I PREROUTING -j NETFLOW

Be careful that your test box doesn't send replies on foreign traffic.

Useful Links:
Clone this wiki locally