Hello everyone,
I am trying to mirror my traffic and feed the monitor port of a security onion.
When i am doing a tcpdump at the security onion all i can see is broadcast packets and arp.
There is something special for configuration?
Searched and haven’t found a solution, but many refers to this issue.
http://forum.mikrotik.com/t/port-mirroring/104185/1
Can anyone help?
Thanks in advance
Show the configuration from /interface/bridge and /interface/ethernet … it’s likely that your switch has HW offload enabled (otherwise it wouldn’t be able to switch traffic at wirespeed) and port mirroring doesn’t actually work.
I confirm there’s a problem with this device. It only mirrors broadcast traffic, but unicast (TCP, UDP etc) is missing in the stream.
There’s nothing special with the configuration, just followed this article: https://help.mikrotik.com/docs/spaces/ROS/pages/30474317/CRS3xx+CRS5xx+CCR2116+CCR2216+switch+chip+features#CRS3xx%2CCRS5xx%2CCCR2116%2CCCR2216switchchipfeatures-PortBasedMirroring
Of course I have HW offloading enabled! That’s the whole point of switching (and mirroring) via switch chip.
Is your source and destination interface on the same switch chip internally?
According to block diagram, there is only single switch chip: https://cdn.mikrotik.com/web-assets/product_files/CRS305-1G-4S_220955.png
I’m sorry, there is no issue with this switch.
My problem was caused by misconfigured bridge in the Proxmox machine where I run the capture.
I bet the original submitter of this post had similar problem.
