Traffic mirror provides a traffic collection service that enables you to filter the traffic from the specified ENI using 5-tuple and other rules. Then you can copy the filtered traffic to CVM instances in the same VPC. This feature is applicable to use cases including security audit, risk monitoring, troubleshooting and business analysis. This document describes how to create a traffic mirror.
The traffic mirror feature is currently in beta. If you want to try it out, please submit a ticket. Please save the link to the Traffic Mirror console for later logins, otherwise you may need to apply again.
Make sure that both the collected IP and receiving IP are in the same VPC and the collected IP has a route table pointing to the receiving IP.
Step 1: create a traffic mirror source
Open the link you obtained after submitting a ticket and log in to the Traffic Mirror console. In the top Region selector, choose the region where the traffic mirror will be created.
Up to 5 traffic mirrors can be created in one VPC.
In the pop-up window, configure as follows:
- Enter a name for the traffic mirror, which cannot exceed 60 characters.
- Choose Network.
- Choose Collection Range:
- Virtual Private Cloud: all traffic in the VPC except for the mirrored traffic of receiving IPs will be collected, which usually applies to the full mirror scenario.
- Subnet: all traffic in the VPC subnet except for the mirrored traffic of receiving IPs will be collected. This option requires selecting specific subnets.
- ENI: all traffic in the VPC will be collected, but the traffic of the ENI that is bound to receiving IPs will be excluded. This option requires selecting specific ENIs.
- Choose Collection Type: select the traffic direction as needed. There are three options: All traffic, Traffic out and Traffic in.
- Choose Traffic filtering: select a method to filter out unnecessary traffic and keep the mirror small and lightweight.
-N/A: all traffic configured will be collected.
- Quintuple: the traffic that meets 5-tuple conditions will be collected. After this option is selected, please specify Protocol, Source IP range, Destination IP range, Source port, and Destination port. You can click Add to create another filter condition. Only the traffic that meets all of filter conditions will be collected.
- The next hop is the NAT gateway: collect traffic whose next hop address is the NAT gateway. After this option is selected, select the corresponding NAT gateway next to Condition.
After completing the configuration, click Next.
Step 2: create a traffic mirror target
Set the receiving traffic as follows:
After completing the configurations, click OK.
This document takes creating a traffic mirror that collects the outbound traffic of the 10.0.0.14 ENI accessing the www.qq.com website as an example.
- Return to the Traffic mirroring page. If the traffic mirror that you just created is displayed with Collect Traffic enabled, the traffic mirror has been created successfully.
- Perform the following steps to verify whether the collected traffic is mirrored to the receiving IP.
- Generate the ENI traffic. For example, you can log in to the source CVM and run the
ping ***public IP*** command.
- Log in to the destination CVM and run the following commands to capture data and save it as a “.cap” or “.pcap” file. This document uses the “.pcap” file as an example.
tcpdump -i eth0 -w capture-2020-10-27.pcap #Enter the actual file name.
- Use a terminal simulator (such as SecureCRT) to log in to the destination CVM and export the file saved in Step ii.
sz -bye capture-2020-10-27.pcap
- Use a packet parser (such as Wireshark) to obtain data from the “capture-2020-10-27.pcap” file that has been downloaded. In this example, 12 mirrored packets of the source CVM are obtained from the destination CVM.
- If an exceptional packet is obtained, or it’s unable to obtain packets, please submit a ticket.