This is the second chapter in the packet capture saga. Jump here to see how it started.

So you have a managed switch? And it supports OpenFlow!

You can issue a double-action rule, where you do standard L2 forwarding (or just hot-potato bouncing to another interface), with a second action setting a different output port.

In practice, this resolves to something like (using Ryu):

actions = [parser.OFPActionOutput(out_port),
        parser.OFPActionPushVlan(),
        parser.OFPActionSetField(vlan_vid=self.mirror_vlan),
        parser.OFPActionOutput(self.mirror_port)]

We are also setting a VLAN header, so that we can easily distinguish mirrored packets.

Now you just have to fire up your tcpdump on the interface connected to this mirror port and call it a day.

Some considerations

• you may want to take the interface down when not capturing, to not interfere with your system
• it may be safer to run a ip add flush dev eth_whatever before capturing: we don’t want the system to have an IP there, and we want promiscuous capturing.
• You switch controller should ignore packets coming from the mirror port. We don’t want it to mess up ARP and the alike!

Speed and power!

tcpdump can hardly scale to line-rate. Especially when your line-rate is above 10Gbps. You can build your own crude tcpdump with FastClick:

sudo ~/fastclick/bin/click --dpdk -l10 -m 1G -a 03:00.1 \
        --file-prefix capture -- -e \
	"FromDPDKDevice(0, PROMISC 1, SCALE parallel) ->
        avg::AverageCounterIMP ->
        ToDump(/tmp/click_dump.pcap)
	Script(wait 1s, read avg.count, loop)"

Depending on your system, dumping to a ram folder (as /tmp usually is) may not be a sane idea. Get your self a fast SSD and dump there.