Port mirroring is a method to send a copy of network packets transferred on one port/ vlan to another port, to be sent to a monitoring device. It “mirrors” packets that passes a reserved port to a target device. The traffic can be sent to a device that can analyse the traffic and thus be used for enforcing policies, monitoring and intrusion detection and predicting traffic patterns. VMware vDS can be configured for port mirroring, exactly as physical switches. Note, port mirroring is also sometimes referred to as SPAN port. Let us take a look at configuring port mirroring on a vDS and verify using a wireshark instance.
1- Open wireshark on a test PC. Ensure it is connected to the ESXi network you are trying to monitor.
2- Monitor the interface connected to the ESXi host network, in my case the wifi adapter.
3- The mirrored traffic would be GRE encapsulated, hence enter ‘gre’ in the wireshark filter. Note: At this point, this would show blank, as we have not setup the port mirroring yet:
4- On the vCenter web ui, go to networks and select the vDS switch, whose network you need to monitor
5- Click on ‘Configure’ and then ‘Port Mirroring’.
6- Click on ‘+New’.
- The “Add Port Mirroring Session” wizard opens. Select the radio button “Encapsulated Remote mirroring (L3) Source” and then click on “Next”.
- Set a Name for the Port Mirroring session and select “Enabled” from the Status drop down. Leave all other settings as default and click on “Next”
- Under ‘Select Sources” click on “+” and add the port/vmnic whose traffic you want to monitor. Then click on “next”:
- Under “Select Destinations” click on ‘+’ and enter the IP address of the target device where you would want to send the mirrored traffic. In this case, the Ip of your test PC where the wireshark capture is running and then click on “Next”.
- Review all the information and click on finish
- Now switch to the wireshark capture window, you should be able to see mirrored traffic from your source vmnic:
Note: This severely impacts network performance, please consider resources in your setup before implementing. For this test I was using nested ESXi with limited resources, so the host limitation was expected. Funny thing though, even my wifi AP gave up!! A thought would be to implement this on a separate network from the data network:
