Chapter 45. Mirroring a network interface by using nmcli

Network administrators can use port mirroring to replicate inbound and outbound network traffic being communicated from one network device to another. Mirroring traffic of an interface can be helpful in the following situations:

To debug networking issues and tune the network flow
To inspect and analyze the network traffic
To detect an intrusion

Prerequisites

A network interface to mirror the network traffic to.

Procedure

Add a network connection profile that you want to mirror the network traffic from:

# nmcli connection add type ethernet ifname enp1s0 con-name enp1s0 autoconnect no

Attach a prio qdisc to enp1s0 for the egress (outgoing) traffic with the 10: handle:
```
# nmcli connection modify enp1s0 +tc.qdisc "root prio handle 10:"
```
The prio qdisc attached without children allows attaching filters.

Add a qdisc for the ingress traffic, with the ffff: handle:

# nmcli connection modify enp1s0 +tc.qdisc "ingress handle ffff:"

Add the following filters to match packets on the ingress and egress qdiscs, and to mirror them to enp7s0:

# nmcli connection modify enp1s0 +tc.tfilter "parent ffff: matchall action mirred egress mirror dev enp7s0"

# nmcli connection modify enp1s0 +tc.tfilter "parent 10: matchall action mirred egress mirror dev enp7s0"

The matchall filter matches all packets, and the mirred action redirects packets to destination.

Activate the connection:
```
# nmcli connection up enp1s0
```

Verification

Install the tcpdump utility:
```
# dnf install tcpdump
```
Display the traffic mirrored on the target device (enp7s0):
```
# tcpdump -i enp7s0
```

Additional resources

How to capture network packets using tcpdump (Red Hat Knowledgebase)

Chapter 45. Mirroring a network interface by using nmcli

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Red Hat legal and privacy links

Red Hat legal and privacy links