It is a well-known fact that one cannot use promiscuous mode (port mirroring) on AWS or Google cloud. However getting packet capture on AWS in many cases would be the easy and sometime only solution for testing various use cases where traffic monitoring and deep packet analysis is required, such as IDS or networking applications development, testing or training. Using Ravello, you’ll be able to set up this kind of advanced network configuration for your application, while running on the public cloud, AWS or Google cloud.
In this post, we’ll demonstrate how port mirroring can be configured for your application, in a few simple steps. For our demo we’ll set up a simple environment, consisting of three VMs. Each VM includes two NICs. Two of the VMs will communicate with each other (using a simple PING command), and the third VM will listen on all traffic between them, by setting its NIC to “port mirror” mode (from within the Ravello VM properties). Since we’ll only use tcpdump for sniffing the network, we will not need to configure the VM NIC to promiscuous mode, but in other cases, this may be a required configuration.
First, let’s see the configuration of our two VMs communicating:
VM #1: access10
NIC #1: configured via DVCP with reserved IP address 10.0.0.3/255.255.0.0
NIC #2: configured via DVCP with reserved IP address 30.0.0.3/255.255.255.0
It is possible to set any NIC to communicate on a separate VLAN
VM #2: access20
NIC #1: configured via DVCP with reserved IP address 10.0.0.5/255.255.0.0
NIC #2: configured via DVCP with reserved IP address 30.0.0.5/255.255.255.0
It is possible to set any NIC to communicate on a separate VLAN
Please note, that if we had defined the NICs in VM #1 and VM #2 to different VLANs we should have used another VM as trunk between the two VLANs. Defining such VM is also possible using Ravello, see our previous post about advanced networking on AWS EC2 for additional information.
The third VM is the VM we’ll use for monitoring the traffic between the other VMs:
VM #3: promisc
NIC #1: configured via DVCP with reserved IP address 10.0.0.7/255.255.0.0
NIC #2: configured via DVCP with reserved IP address 30.0.0.7/255.255.255.0
Note that for NIC #2 in this VM, we have checked the option for port mirroring in the VM properties (and this is all we had to do!)
Now, let’s preform our simple test - VM #1 and VM #2 will send to each other ping requests (over ICMP). VM #3 will monitor this traffic using tcpdump:
Summary
In this post we showed how easy it is for us to set promiscuous mode NIC and port forwarding setup of our internal application network over AWS or Google cloud. Due to our HVX technology and the resulting overlay network, Ravello is able to provide a fully functional Layer 2 and Layer 3 network which allows an accurate replica of your data center applications over the public cloud. You are welcome to check it out for yourself by starting your free trial, or drop us a line if you want to learn more.
The post How to use promiscuous mode on AWS: using port mirroring for packet capture in the cloud appeared first on The Ravello Blog.