INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Port Mirroring - Only LAN traffic mirrored!

Port Mirroring - Only LAN traffic mirrored!

(OP)
Hello all.

I'm trying to setup a port mirror on a Nortel Baystack 470-24 switch (4 in stack). The purpose of the mirror is so that I can run a IDS on a host other than the firewall itself. So, on the firewall (CentOS 5.10), when I run 'tcpdump -l -nnn -i eth1' (eth1 is the LAN facing interface), I can see all traffic heading to the LAN from the Internet in addition to other noise on the LAN. However, on the IDS, when I run the same tcpdump command as above on the interface designated as the sensor port, I only see local traffic - the traffic destined to internal hosts from the Internet doesn't seem to be mirrored to the monitor port - what am I missing? The port mirror configuration is straight forward so if it is something I'm missing, it must be on a different screen and I don't have a clue where to look!

Please help! I've been searching on Google but as usual, I can't seem to get the right combination of words to get me to the solution I'm hoping is out there! I'm hopefull the experts here will know the answer!

Cheers,
ak.

RE: Port Mirroring - Only LAN traffic mirrored!

(OP)
SOLVED.

In my troubleshooting, I stumbled upon the fact that on a virtual machine (a fact I forgot to mention in my original post was that the IDS is setup as a guest machine on an ESXi host), one has to ensure that the port group to which the VM interface is attached must be configured for promiscuity [0]! Once I did that, my VM can now see all traffic that the firewall sees.

Cheers,
ak.

[0] - http://kb.vmware.com/selfservice/microsites/search...

RE: Port Mirroring - Only LAN traffic mirrored!

(OP)

According to a post near the bottom of thread760-1592987: Search Engine Redirect Issue, I should be able to mark my own thread as solved. However, I see no such option!

So, how does one go about marking a thread as solved OR deleting a post in the thread that was entered erroneously (as in above) AND/OR editing a post in a thread?

cheers,
ak.

RE: Port Mirroring - Only LAN traffic mirrored!


For posts that you want deleted or edited, click on the "Red Flag this Post" link and state what you want in the area provided.

There is no ability to mark a thread as solved. The way you did it, by posting SOLVED (with your solution) is the best that you can do.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close