Switch with port mirroring - playing with bandwidth monitoring

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Switch with port mirroring - playing with bandwidth monitoring

davidcole

6037 posts

Uber Geek

Trusted

#196450 31-May-2016 18:56

So I've just picked up a to link sg1024de rack mount switch. Apparently it does port mirroring, which I assume I can use for looking at lan and wan bandwidth monitoring.

I've hit a could if virtual Linux machines. What would I put in them that's relatively easy to figure out and that would give me some pretty graphs to look at. I dont have a problem to look st, just want to gave a toodle.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1563375 31-May-2016 23:33

Graphite/Grafana or Cacti make pretty graphs based on port stats.

But if you wanted to get browsing habits of your internals then squid would be required. Then you could use something like this: https://github.com/akashihi/graphite-squid

davidcole

6037 posts

Uber Geek

Trusted

#1563421 1-Jun-2016 06:30

So if the vm is connected to the same NIC as the host and other vms - should I just be able to connect the lot to the mirroring port (physically) and in the Linux machine just tell it to start collecting?

Or do I need to make some virtual vlans etc and give the Linux Machine two nics .

chimera

506 posts

Ultimate Geek

#1563534 1-Jun-2016 10:33

davidcole: So if the vm is connected to the same NIC as the host and other vms - should I just be able to connect the lot to the mirroring port (physically) and in the Linux machine just tell it to start collecting?

Or do I need to make some virtual vlans etc and give the Linux Machine two nics .

If you had a physical machine connected direct to the mirror port, then it would be easy as - you'd just start packet capture with whatever software you're using and away you go.

You didn't mention which hypervisor you're running - I'll assume VMWare ESXi... because you're running a VM and that VM is on a virtual switch, then you will need to enable promiscuous mode on the vSwitch/PG (because with promiscuous mode disabled, then by default the VM will only receive traffic that's destined for it)

davidcole

6037 posts

Uber Geek

Trusted

#1563558 1-Jun-2016 11:02

chimera:

davidcole: So if the vm is connected to the same NIC as the host and other vms - should I just be able to connect the lot to the mirroring port (physically) and in the Linux machine just tell it to start collecting?

Or do I need to make some virtual vlans etc and give the Linux Machine two nics .

If you had a physical machine connected direct to the mirror port, then it would be easy as - you'd just start packet capture with whatever software you're using and away you go.

You didn't mention which hypervisor you're running - I'll assume VMWare ESXi... because you're running a VM and that VM is on a virtual switch, then you will need to enable promiscuous mode on the vSwitch/PG (because with promiscuous mode disabled, then by default the VM will only receive traffic that's destined for it)

Yeah I'm beginning to think that. Would a Raspberry pi be fast enough to deal with the packets from a gigabit switch?

BTW using Hyper-V. There seems to be a bit of mirroring information for it. But it's getting ot the too hard basket

chimera

506 posts

Ultimate Geek

#1563561 1-Jun-2016 11:09

davidcole:

chimera:

davidcole: So if the vm is connected to the same NIC as the host and other vms - should I just be able to connect the lot to the mirroring port (physically) and in the Linux machine just tell it to start collecting?

Or do I need to make some virtual vlans etc and give the Linux Machine two nics .

If you had a physical machine connected direct to the mirror port, then it would be easy as - you'd just start packet capture with whatever software you're using and away you go.

You didn't mention which hypervisor you're running - I'll assume VMWare ESXi... because you're running a VM and that VM is on a virtual switch, then you will need to enable promiscuous mode on the vSwitch/PG (because with promiscuous mode disabled, then by default the VM will only receive traffic that's destined for it)

Yeah I'm beginning to think that. Would a Raspberry pi be fast enough to deal with the packets from a gigabit switch?

BTW using Hyper-V. There seems to be a bit of mirroring information for it. But it's getting ot the too hard basket

*ugh* Hyper-V...

It sounds like you're more familiar with Windows? Go and install a Windows VM and download and run Wireshark and play around with that combo. Its an easier tool to learn packet structures with.

Cheers

Decal

222 posts

Master Geek

ID Verified

#1563571 1-Jun-2016 11:21

If you want to a break down of the applications and URLs. You can use PRTG which has a packet sniffer feature and gives you a visual break down of the traffic. The computer/VM running the PRTG sniffer will require 2 NICs, 1 to plug into the Mirrored port and the other for management.

davidcole

6037 posts

Uber Geek

Trusted

#1563575 1-Jun-2016 11:31

Decal:

If you want to a break down of the applications and URLs. You can use PRTG which has a packet sniffer feature and gives you a visual break down of the traffic. The computer/VM running the PRTG sniffer will require 2 NICs, 1 to plug into the Mirrored port and the other for management.

Yeah I figured it would need two nics....so I guess the next question is more hyper-v (or you can relate to vmware if you want), if the host has 2 nics....both are connected to the switch, 1 to a normal port, and the other to the mirroring port. Is the NIC connected to the mirroring port now useless for any traffic by what will be passed to the VM for monitoring? Or does it just act like a normal port?

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Decal

222 posts

Master Geek

ID Verified

#1563642 1-Jun-2016 13:31

davidcole:

Decal:

If you want to a break down of the applications and URLs. You can use PRTG which has a packet sniffer feature and gives you a visual break down of the traffic. The computer/VM running the PRTG sniffer will require 2 NICs, 1 to plug into the Mirrored port and the other for management.

Yeah I figured it would need two nics....so I guess the next question is more hyper-v (or you can relate to vmware if you want), if the host has 2 nics....both are connected to the switch, 1 to a normal port, and the other to the mirroring port. Is the NIC connected to the mirroring port now useless for any traffic by what will be passed to the VM for monitoring? Or does it just act like a normal port?

It will only be able to be used to monitor the traffic. From memory with Hyper v I think you can create a v switch that can include that physical port and then at the VMs second vNIC to that vswitch and it should receive all the traffic. You will probably need to enable promiscuous mode (Cant remember if Hyper-V has this/ if it does what its called).