Traffic directions, port mirrors and taps

Posted · Add Comment

Network taps have the ability to preserve traffic directions as based on the port you’re monitoring it is possible to know id traffic is going A -> B or B->A. With port mirrors you completely loose this information (this unless you creare a port mirror per direction, not always possible on all network switches) as directions are mixed up and thus typical breakdown charts in/down don’t work.

In order to overcome this limitation, in nProbe mimic directions using MAC addresses. In essence if you know the MAC address of your routers you know if your traffic is going towards your router or coming from it. The assumption is that router MAC address are reliable, not always true in these cybersec days.

  • Option 1
    Use V9/IPFIX to export the MAC address
    Using -T you can set the export template and if you add %IN_SRC_MAC and %OUT_DST_MAC you can see MAC in flows and let the collector compute the direction.
  • Option 2
    Use the MAC addresses to set interfaceId’s and export direction
    Supposing that your routers have MAC  5c:49:79:75:4e:6a and 0a:30:62:56:00:1c, you can define in nProbe –if-networks “5c:49:79:75:4e:6a@2,0a:30:62:56:00:1c@2” that says: all the traffic with these source MACs are bound to interfaceId 2. Adding also –in-iface-idx 2 –out-iface-idx 0 that says: ingress traffic will have ifIndex 2 all pieces are set. In this case the DIRECTION information element will be set accordingly based on the MAC address information.
  • Option 3
    If you set –in-iface-idx -1 –out-iface-idx -1, nProbe will set the interfaceId to the last two bytes of the MAC address so you can use the same technique of option 1 even with netflow V5.

In some cases, when taps or multiple interfaces are used (e.g. each monitoring a network link), and you need to merge traffic ports, you can do it inside nProbe by leveraging on PF_RING. If you set nprobe -i “eth0,eth1” the traffic coming from both ports is first merged then analysed by nProbe. Even in this case you can use the same MAC address trick explained above to mimic directions.