本文介绍如何在Red Hat Enterprise Linux 6中使用tc命令进行IP流量镜像,以便于网络监控。通过创建ingress qdisc,设置过滤器匹配所有IP包并将其复制到指定接口,实现虚拟机间流量的监测。
https://access.redhat.com/solutions/881163
SOLUTION 已验证 - 已更新 2014年七月10日13:33 -
环境
- Red Hat Enterprise Linux (RHEL) 6
问题
- How do I mirror IP traffic for monitoring?
决议
To mirror traffic to another system for monitoring, there are quite a few approaches. Typically, this would be done with specialized hardware, specifically switches and routers with the option to mirror traffic. Red Hat Enterprise Linux (RHEL) 6.x has a way of doing this as well. Using the tccommand (part of the iproute-2 package), the traffic can be controlled and mirrored to another interface for monitoring.
In the code below, assume that the security appliance is attached to the bridge interface "vnet0", and the virtual machine (VM) to be monitored is attached to bridge interface "vnet1".
# tc qdisc add dev vnet1 ingress
This creates a new qdisc called ingress. This is really a special qdisc that you can consider an "alternate root" for inbound packets. vnet1 is the interface that is being monitored, or the traffic to be mirrored.
# tc filter add dev vnet1 parent ffff: \
protocol ip u32 match u8 0 0 \
action mirred egress mirror dev vnet0
Here, packets generated by the VM are copied. A new filter is added, attached to the node "ffff: " which is the fixed ID of the ingress qdisc (queue discipline). The filter only matches for IP packets ("protocol ip"). The part "u32 match u8 0 0" specifies a matching expression. In this case, the "u32" matcher, with arguments "u8 0 0". This means match any packet where the first byte, when ANDed with the value 0, returns 0. In other words, all packets are selected. When the filter matches, the action "mirred" is executed with arguments "egress mirror dev vnet0". This tells mirred to copy the packet to the device "vnet0".
# tc qdisc replace dev vnet1 parent root prio
This replaces the qdisc that is directly attached to the root node with a new qdisc of type "prio". You may select another qdisc if you desire, but the reason why we replace it is to make sure that we attach a classfull qdisc. By default, the classless qdisc "pfifo_fast" is used, and being a classless qdisc, it doesn't evaluate filters.
# tc filter add dev vnet1 parent 8002: \
protocol ip u32 match u32 0 0 \
action mirred egress mirror dev vnet0
This line copies packets that are destined towards the virtual machine. The filter is attached to the egress side of the bridge interface, which is where normally all qdiscs operate. The filter is added to the qdisc with node ID 8002:. This may be different on your system. After step 3 you should check the ID that has been allocated with "tc qdisc show dev vnet1". The protocol, match and action parameters are identical to step 2.
根源
- Need to mirror traffic for monitoring
诊断步骤
Verified in virtual environment with RHEL 6.5 machine with 2 VMs running.
- Each vnetX interface matches up to a VM
- VM2 was the machine to monitor traffic on
- The host was the machine that mirror packets were sent to
- Following the commands in the resolution, with adjustments for interface names, this was successfully configured
I was able to use Wireshark to watch eth0 in the host as I sent traffic from VM1 to VM2. The Wireshark capture was receiving packets on eth0 that were copied to it from vnet1. This verified that the packets sent from VM1 to VM2 were mirrored to eth0. Web traffic was also copied to eth0 when using VM2 to access the internet. This solution will mirror IP traffic to another interface.
扫一扫
612
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
