Currently, I could only set one mirror-source and one mirror-target on my RB750Gr3 / 6.45.9 board. For example: mirror port 2 to port 1… Or mirror port 3 to port 1, etc. But not multiple ports at the same time.
I would like to create multi mirror-source to single mirror-target port mirroring setup. Meaning: set ports 2-5 mirroring to port 1. And then use port 1 with traffic analyzer in order to check what’s happening on ports 2-5.
Bandwidth chokes and potential lost traffic are not important here - everything that will be connected to ports 2-5 is low-bandwidth (<= 100Mbs) devices.
I’m afraid you have to use action=sniff-tzsp rules in /ip firewall mangle since the goal is to sniff the traffic for further analysis (so the TZSP encapsulation of the original packets doesn’t break that goal); if the ports are bridged together, another thing necessary is to disable hardware forwarding among them, and to set use-ip-firewall in /interface bridge settings to yes so that the bridged packets reach the mangle rules.
Hi sandy, thank you for reply. Could you please elaborate it a little bit further?
Does that mean I have to turn off hardware switching capabilities too? If yes, how would that impact board performance?
Using TZSP assumes I have some sort of sniffing server listening on some port somewhere on the connected network, right? This is not the case here. Port 1 (where all other ports would need to be mirrored to) is connected to NIC in promiscuous mode without any fixed IP. I don’t think I could setup something like that here.
And finally, is there any MikroTik board that has such multi-port sniffing capabilities out-of-box? I mean… Mangle rules and everything is probably fine most of the time, but I don’t it’s applicable here. Even some low-cost semi-manageable switches support multi-port sniffing - however, I would rather use MikroTik due to other cool stuff I can do with it.
Yes, I honestly wrote that But as you’ve said the traffic volume is low, bridging it among the ports in software should not have a significant impact?
TZSP is a uni-directional protocol, so no response from the destination is required (nor possible). If you configure an IP subnet on ether1, and add a static ARP record for any IP address within that subnet, with any unicast MAC address, at ether1, RouterOS will send the TZSP packets via ether1.
The CRS series switches (1xx/2xx/3xx) can do this even when running RouterOS, and RB260 which is much cheaper can do that too but RouterOS is not an option there, so the “cool stuff” part is missing there.
I think you pointed me into the right direction. If RB260 can do this properly (I hope so), I could incorporate it into this “dummy port mirroring” setup and leave proper MT and its cool stuff outside of the whole thing. So thank you! I will get some RB260 and check what they can actually do in RL.
Hi Sindy, I followed your hint but, could you be more specific in “disable hardware forwarding among them”? What does it exactly means? I created new mangle rule Chain: Prerouting Out interface:Eth 5, In Intreface List: containing Eth1, 2, 3, 4, Action Sniff TZSP. But i got response " Couldn´t add New Mangle Rule - outgoing interface matching not possible in input and prerouting chains (6). Do you have any idea how to fix it please? What could cause a problem?
Regards
But as you’ve said the traffic volume is low, bridging it among the ports in software should not have a significant impact?