■Cisco3750にミラーポート(SPAN)を設定してみる。と、tcpdumpのプロミスキャスモードについて Switch#show version | include ^Cisco Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2) ■以下の続き Cisco C2970にローカルミラーポート(SPAN)を設定してみる。 http://labunix.hateblo.jp/entry/20160209/1454996869 ■tcpdumpコマンドはデフォルトでプロミスキャススモードが有効なのでスルーしてました。 ブロードキャストパケット「255.255.255.255」で後ほど確認する方針とする。 ネットワークスペシャリスト - SE娘の剣 - http://nw.seeeko.com/archives/cat_10022037.html ■C3750の初期化 Switch#delete vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] Switch#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete Switch#show startup-config startup-config is not present Switch#reload Proceed with reload? [confirm] ■初期化後の確認 ... Would you like to enter the initial configuration dialog? [yes/no]: no Switch>show interface status | include full Fa1/0/1 connected 1 a-full a-100 10/100BaseTX Fa1/0/2 connected 1 a-full a-100 10/100BaseTX ■構成は以下のとおり $ echo "[Linux1-eth1] <--> [Fa1/0/1] <-- SPAN --> [Fa1/0/2] --> [Linux2-eth1]" | \ graph-easy --dot | dot -o C3750mirror.png ■Linux1側の設定 $ echo "[Linux1]"; \ ip a list eth1 | \ sed -e 's/ [0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:/ XX:XX:XX:XX:/g' [Linux1] 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether XX:XX:XX:XX:10:ca brd ff:ff:ff:ff:ff:ff inet 172.16.16.88/24 brd 172.16.16.255 scope global eth1 valid_lft forever preferred_lft forever ■Cisco3750のIPアドレス設定 enable configure terminal interface vlan 100 ip address 172.16.16.254 255.255.255.0 no shutdown interface fa1/0/1 switchport mode access switchport access vlan 100 no shutdown end ■Cisco3750のVLANの確認 Switch#show vlan id 100 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 100 VLAN0100 active Fa1/0/1 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 100 enet 100100 1500 - - - - - 0 0 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ ■Cisco3750からのIP疎通確認 Switch#ping 172.16.16.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.16.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms Switch#ping 172.16.16.88 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.16.88, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1007 ms ■Linux2側について、プロミスキャスモードの有効化方法は下記のとおり。 $ echo "[Linux2]"; \ ip a list eth1 | \ sed -e 's/ [0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:/ XX:XX:XX:XX:/g' [Linux2] 6: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 00:0a:79:9a:c2:e3 brd ff:ff:ff:ff:ff:ff $ sudo ifconfig eth1 promisc $ ip a list eth1 | \ sed -e 's/ [0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:/ XX:XX:XX:XX:/g' 6: eth1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether XX:XX:XX:XX:c2:e3 brd ff:ff:ff:ff:ff:ff ■Linux2側について、プロミスキャスモードの解除方法は下記のとおり。 $ sudo ifconfig eth1 -promisc $ ip a list eth1 | \ > sed -e 's/ [0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:/ XX:XX:XX:XX:/g' 6: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether XX:XX:XX:XX:c2:e3 brd ff:ff:ff:ff:ff:ff ■Cisco3750のローカルSPANを設定する。 configure terminal monitor session 1 source interface fa1/0/1 both monitor session 1 destination interface fa1/0/2 end ■プロミスキャスモードを設定した状態で確認 $ sudo ifconfig eth1 promisc up Switch#ping ip 172.16.16.255 repeat 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 172.16.16.255, timeout is 2 seconds: . $ sudo tcpdump -i eth1 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 23:02:26.713238 IP 172.16.16.254 > 255.255.255.255: ICMP echo request, id 7, seq 0, length 80 ■「255.255.255.255」を発信してみる。 tcpdumpのプロミスキャスモードにより、結果に差が無い。 $ sudo ping -b 255.255.255.255 -c 2 -I eth1 WARNING: pinging broadcast address PING 255.255.255.255 (255.255.255.255) from 172.16.16.88 eth1: 56(84) bytes of data. 64 bytes from 172.16.16.254: icmp_seq=1 ttl=255 time=1.81 ms 64 bytes from 172.16.16.254: icmp_seq=2 ttl=255 time=0.818 ms --- 255.255.255.255 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.818/1.318/1.819/0.501 ms $ sudo ifconfig eth1 0.0.0.0 promisc $ sudo tcpdump -i eth1 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 23:26:16.282436 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 4939, seq 1, length 64 23:26:16.284111 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 4939, seq 1, length 64 23:26:17.283370 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 4939, seq 2, length 64 23:26:17.284071 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 4939, seq 2, length 64 $ sudo ping -b 255.255.255.255 -c 2 -I eth1 WARNING: pinging broadcast address PING 255.255.255.255 (255.255.255.255) from 172.16.16.88 eth1: 56(84) bytes of data. 64 bytes from 172.16.16.254: icmp_seq=1 ttl=255 time=0.742 ms 64 bytes from 172.16.16.254: icmp_seq=2 ttl=255 time=2.48 ms --- 255.255.255.255 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.742/1.612/2.483/0.871 ms $ sudo ifconfig eth1 0.0.0.0 -promisc $ sudo tcpdump -i eth1 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 23:27:40.889469 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 4944, seq 1, length 64 23:27:40.890100 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 4944, seq 1, length 64 23:27:41.889673 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 4944, seq 2, length 64 23:27:41.892162 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 4944, seq 2, length 64 ■tcpdumpのプロミスキャスモードを「-p」で無効にしてみる。 この場合、NICのプロミスキャスモード設定の有無で差が出る。 自分宛で無いパケットを無視された。 $ sudo ifconfig eth1 0.0.0.0 promisc $ sudo tcpdump -i eth1 -n -p tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 23:35:29.250623 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5012, seq 1, length 64 23:35:29.250989 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 5012, seq 1, length 64 23:35:30.249666 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5012, seq 2, length 64 23:35:30.250034 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 5012, seq 2, length 64 $ sudo ifconfig eth1 0.0.0.0 -promisc $ sudo tcpdump -i eth1 -n -p tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 23:35:05.544735 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5010, seq 1, length 64 23:35:06.545450 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5010, seq 2, length 64 ■「他の理由でインターフェイスが無差別透過モードになってしまうこともある」が、 「ifconfig eth1 promisc」のこと。 $ man tcpdump 2>/dev/null | grep -A 3 ' -p ' -p 無差別透過モードを 利用しない。しかしながら、他の理由でインター フェイスが無差別透過モードになってしまうこともあることに注意する こと。 このため '-p' オプションは 'ether host {loca-lw-addr} or ether broadcast' の省略形としては使用できない。 ■他の理由とは、「kernel」で有効、無効となるから。 $ sudo ifconfig eth1 promisc up ;dmesg | tail -1 [ 6955.477104] device eth1 entered promiscuous mode $ sudo ifconfig eth1 -promisc up ;dmesg | tail -1 [ 7190.395117] device eth1 left promiscuous mode ■「tcpdump」をデフォルトで起動、終了時には以下の処理がある。 「tcpdump」を起動した時に「entered promiscuous mode」 「tcpdump」を終了した時に「left promiscuous mode」 $ sudo tcpdump -i eth1 -n -c2;dmesg | tail -2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 00:08:44.606684 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5408, seq 1, length 64 00:08:44.607105 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 5408, seq 1, length 64 2 packets captured 2 packets received by filter 0 packets dropped by kernel [ 8221.738872] device eth1 entered promiscuous mode [ 8239.777312] device eth1 left promiscuous mode ■「tcpdump -p」で起動、終了時に、「promiscuous mode」に関する処理を行わない。 $ sudo tcpdump -i eth1 -n -p -c2;dmesg | tail -2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 00:09:16.423298 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5410, seq 1, length 64 00:09:17.422298 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5410, seq 2, length 64 2 packets captured 2 packets received by filter 0 packets dropped by kernel [ 8221.738872] device eth1 entered promiscuous mode [ 8239.777312] device eth1 left promiscuous mode ■dmesgのキャッシュをクリアすることで明確になる。 $ sudo dmesg -c > /dev/null;sudo tcpdump -i eth1 -n -p -c2;sudo dmesg -c | tail -2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 00:16:41.926525 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5470, seq 1, length 64 00:16:42.925514 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5470, seq 2, length 64 2 packets captured 2 packets received by filter 0 packets dropped by kernel ■プロミスキャスモードなら、以下のようにIPアドレスを設定しても問題ない。 $ sudo ifconfig eth1 172.16.16.89/24 promisc up $ sudo tcpdump -i eth1 -n -p -c4 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 00:21:57.796137 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5504, seq 1, length 64 00:21:57.796478 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 5504, seq 1, length 64 00:21:58.796722 IP 172.16.16.88 > 255.255.255.255: ICMP echo request, id 5504, seq 2, length 64 00:21:58.797077 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 5504, seq 2, length 64 4 packets captured 4 packets received by filter 0 packets dropped by kernel