Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port Mirroring - Only LAN traffic mirrored!

Status
Not open for further replies.
mrbean2766

mrbean2766

Programmer
Jun 23, 2001
18
0
0
AU
Hello all.

I'm trying to setup a port mirror on a Nortel Baystack 470-24 switch (4 in stack). The purpose of the mirror is so that I can run a IDS on a host other than the firewall itself. So, on the firewall (CentOS 5.10), when I run 'tcpdump -l -nnn -i eth1' (eth1 is the LAN facing interface), I can see all traffic heading to the LAN from the Internet in addition to other noise on the LAN. However, on the IDS, when I run the same tcpdump command as above on the interface designated as the sensor port, I only see local traffic - the traffic destined to internal hosts from the Internet doesn't seem to be mirrored to the monitor port - what am I missing? The port mirror configuration is straight forward so if it is something I'm missing, it must be on a different screen and I don't have a clue where to look!

Please help! I've been searching on Google but as usual, I can't seem to get the right combination of words to get me to the solution I'm hoping is out there! I'm hopefull the experts here will know the answer!

Cheers,
ak.
 
Sort by date Sort by votes
SOLVED.

In my troubleshooting, I stumbled upon the fact that on a virtual machine (a fact I forgot to mention in my original post was that the IDS is setup as a guest machine on an ESXi host), one has to ensure that the port group to which the VM interface is attached must be configured for promiscuity [0]! Once I did that, my VM can now see all traffic that the firewall sees.

Cheers,
ak.

[0] -
 
Upvote 0 Downvote

According to a post near the bottom of thread760-1592987, I should be able to mark my own thread as solved. However, I see no such option!

So, how does one go about marking a thread as solved OR deleting a post in the thread that was entered erroneously (as in above) AND/OR editing a post in a thread?

cheers,
ak.
 
Upvote 0 Downvote

For posts that you want deleted or edited, click on the "Red Flag this Post" link and state what you want in the area provided.

There is no ability to mark a thread as solved. The way you did it, by posting SOLVED (with your solution) is the best that you can do.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Caps007
  • Locked
  • Question
Port Mirroring
Replies
1
Views
139
ADB100
ADB100
Tony D
  • Locked
  • Question
NAT Port Forwarding
Replies
0
Views
110
Tony D
Tony D
SBwrx5
  • Locked
  • Question
Disable Port 8083 on Kyocera TA5501i MFP
Replies
1
Views
78
SBwrx5
SBwrx5
DaveBarribeau
  • Locked
  • Question
Duplicate source port after reboot, host won't SYN,ACK
Replies
0
Views
50
DaveBarribeau
DaveBarribeau
Comeragh
  • Locked
  • Question
SNMP and Port Forwarding
Replies
0
Views
40
Comeragh
Comeragh

Part and Inventory Search

Sponsor

Back
Top