Mirror / SPAN port configuration
Last updated
Last updated
With a deployed BluSapphire Sensor, you can monitor the network traffic using port mirroring. This allows BluSapphire to perform analysis on the network traffic, which aids in the detection of threats in your environment.
By configuring a mirror port on your virtual switch or physical network device, you can clone all traffic to a single port. After configuration, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port. The BluSapphire Sensor immediately starts receiving events from the device through the port and begins its analysis.
Complete the two following tasks to set up port mirroring on a Windows Server 2012 R2 or Windows Server 2016 Hyper-V host.
Important: Before you configure port mirroring on a Windows Server 2012 R2 VM, make sure that the Microsoft packet sniffing tool hotfix is applied.
To configure the virtual machine you want to use to capture mirrored traffic
Open the Microsoft Hyper-V Manager and right-click the machine that you want to use to capture mirrored traffic.
Select Settings.
Expand the associated network adapter and select Advanced Features.
Scroll to the Port mirroring section and set the Mirroring mode to Destination.
Click Apply and OK.
To configure the mirror port
Open the Windows PowerShell console.
Enter the following:
$a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5
$a.SettingData.MonitorMode = 2
add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <virtual_switch_name> -VMSwitchExtensionFeature $a
Important: Be aware that, if you enable promiscuous mode for a physical port, it directs all the traffic received on that port towards the virtual machine destination.
If your environment uses a Virtual LAN to route traffic, you will also need to configure Hyper-V to accept packets from the designated VLAN ID range.
To set up VLAN port mirroring
In Hyper-V Guest, create a Network Interface Controller (NIC) designated "management" with the following PowerShell command
Add-VMNetworkAdapter -VMName <VirtualMachineName> -Name "Management"
Add the port you will use as a mirror
Add-VMNetworkAdapter -Vmname <VirtualMachineName> -name "Mirror"
If you have multiple NICs you are mirroring, repeate this step for each NIC.
Add the VLAN ID ranges that will be mirrored
Set-VMNetworkAdapterVlan -VMName VIRTUALMACHINENAME -VMNetworkAdapterName "mirror" -trunk -allowedvlanidlist <VLAN-ID-Range> -nativevlanid <VLAN-ID-Range>
Important: The NIC needs to be created, named, and tagged with VLAN ID ranges as a guest in Hyper-V. If the NIC is not named and tagged properly, it can create errors in the guest system.
For BluSapphire Sensor to monitor traffic from your physical network, you need to allocate a spare NIC (Network Interface Card) on your VMware server to pass the SPAN port traffic to the virtual network. BluSapphire recommends that you SPAN your internal firewall ports, connect the SPAN port to the spare NIC, and then associate the spare NIC with a vSwitch.
Note: The following procedure is based on the ESXi 6.5 Web Client. If you are using a different client or an earlier version of VMware products, please consult the vendor documentation accordingly.
To monitor network traffic through a vSwitch
Direct traffic from your physical network to the virtual network.
Enable port mirroring on the network you want BluSapphire Sensor to monitor.
Allocate a spare NIC on your VMware server to receive the mirrored traffic.
Associate your spare NIC with the vSwitch.
In the ESXi 6.5 Web Client, click Networking in the Navigator and select the Port groupstab.
Note: In VMware terminology, a port group acts like a network hub, making the network traffic undergoing the vSwitch visible to all interfaces connected to this port group.
Click Add port group.
Enter a name for the port group.
In VLAN ID, select 4095 for the VGT (Virtual Guest Tagging) mode.
See VLAN Configuration in the VMware documentation for more information about VLAN tagging modes.
In Virtual switch, select the vSwitch associated with the spare NIC configured in Step 1.
Expand the Security section and set Promiscuous mode to Accept.
This setting assures any virtual interface connected to this port group will be able to enter promiscuous mode and capture traffic from any other virtual interfaces connected to the vSwitch.
Click Add to create the port group.
Next, you need to make sure that the BluSapphire Sensor is connected to one or more interfaces in the port group.
Repeat the steps for every vSwitch you want to monitor.
You can configure a mirror port for a Check Point deployment that includes a Security Management Server, a gateway, and a SmartDashboard. The mirror port duplicates the network traffic and records the activity in logs.
Use these procedures to configure a Check Point Gateway Switch for port mirroring.
To configure the device
Open the VMware Security Gateway.
From the command line, run
sysconfig
Select Network Connections.
Select Configure Connections.
Select the interface to configure as the mirror port.
This is the one that you connected.
Select Define as connected to a mirror port.
Enable the Application Control blade in the SmartDashboard.
You can also enable the IPS blade to see IPS traffic.
Note: If you only want to enable the IPS blade, you must activate at least one HTTP protection.
Install the Policy.
To verify the configuration
Browse to any website, such as Google.
Open SmartView Tracker.
Verify that you see traffic from the blade you enabled.
To learn more about configuring a mirror port on a Check Point gateway, refer to the Check Point documentation on the vendor website.
The Cisco ASA 5505 Adaptive Security Appliance supports SPAN, also known as switch port monitoring, to monitor traffic that enters or exits one or more switch ports. The port where you enable SPAN (destination port) receives a copy of every packet transmitted or received on a specified source port. You can only enable SPAN for one destination port.
Note: BluSapphire Sensor supports both SPAN and RSPAN. It does not support ERSPAN.
To configure the device
Open a monitoring session.
Configure the interface.
#interface <port>
Specify the destination port.
#switchport monitor<destination_port>
Specify the source port.
#switchport monitor<source_port>
To learn more about configuring port mirroring in the Cisco ASA 5505 device, refer to the Cisco ASA 5500-X Series Firewalls - Configuration Guides on the vendor website.
The Cisco Nexus 5000 Series switch supports the switched port analyzer (SPAN) feature, which allows an administrator to analyze all traffic between ports by non-intrusively directing the SPAN session traffic to a SPAN destination port that has an external analyzer attached to it. A source port, also called a monitored port, is a switched interface that you monitor for network traffic analysis. The switch supports any number of ingress source ports (up to the maximum number of available ports on the switch) and any number of source VLANs or VSANs.
Note: BluSapphire Sensor supports both SPAN and RSPAN. It does not support ERSPAN.
To configure the device
Open a monitor session.
Enter global configuration mode.
#configure terminal
Enter interface configuration mode for the specified Ethernet interface selected by the port values.
#interface ethernet [port]
Set the interface to monitor mode.
#switchport monitor
Note: Priority flow control is disabled when the port is configured as a SPAN destination.
Revert the global configuration mode.
#exit
Enter monitor configuration mode.
#monitor session [session-number]
Configure the Ethernet destination port.
#destination interface ethernet [port]
To learn more about configuring port mirroring for the Cisco Nexus device, refer to the Configuring SPAN section of the Cisco Nexus 5000 Series NX-OS Software Configuration Guide on the vendor website.
Cisco switches support a feature known as a Switched Port Analyzer (SPAN) which enables traffic received on an interface or virtual local area network (VLAN) to be sent to a single physical port. SPAN technically implies that the source and destination ports are local to the same switch. If the traffic destination is on another remote switch, it uses Remote SPAN (RSPAN). If the destination requires crossing one or more IP networks, some switches can use Encapsulated Remote SPAN (ERSPAN).
Important: BluSapphire Sensor supports both SPAN and RSPAN. It does not support ERSPAN.
To configure port and VLAN mirroring
On the device, select Administration > Diagnostics > Port and VLAN Mirroring.
If your switch supports RSPAN, complete these steps:
RSPAN VLAN: Select Enable to enable RSPAN VLAN mirroring.
RSPAN VLAN ID: Select the VLAN to be mirrored.
Note: When you configure a RSPAN mirroring session, you should select this VLAN as the RSPAN VLAN.
Click Add to add a SPAN or RSPAN mirroring session.
Provide the mirror session information:
Session ID: Select the identifier for the mirroring session.
Session Type: Select the appropriate option:
Local Port Based: Copies Tx, Rx, or both Tx and Rx traffic from each port to the destination port.
Local VLAN Based: Copies traffic from the local VLAN to the destination port.
RSPAN Source Session: Uses a VLAN to copy traffic from a source port or a source VLAN to another device.
RSPAN Destination Session: Uses a VLAN to copy traffic from a destination port to another device.
Based on the selected session type, specify the parameters for the session.

Destination Port: Select the analyzer port as the destination for the copied packets.
A network analyzer, such as a PC running Wireshark, is connected to this port.
Note: Any port identified as an analyzer destination remains such until all the entries have been removed.
Allow Ingress Packets: Select Enable to enable the destination port to receive uncopied ingress packets.
Source Port: Select the source ports for the mirrored traffic and the type of traffic to be mirrored to the analyzer port:
Rx Only: Port mirroring on incoming packets.
Tx Only: Port mirroring on outgoing packets.
Tx and Rx: Port mirroring on both incoming and outgoing packets.
N/A: Traffic from this port is not mirrored.

Destination Port: Select the analyzer port to where packets are copied.
Allow Ingress Packets: Select Enable to enable the destination port to receive ingress packets that are not copied.
VLAN: Select the source VLAN from where traffic is mirrored.

RSPAN VLAN: Select the VLAN to be used to copy traffic to another device.
This VLAN should be the same as the VLAN defined in the RSPAN VLAN ID field.
Reflector Port: Select the port or Link Aggregation Group (LAG) to be connected to another device.
Source Type: Select Port or VLAN as the source port or source VLAN.
If Port is selected, set the source ports for the mirrored traffic and the type of traffic to be mirrored to the analyzer port.
Rx Only: Port mirroring on incoming packets.
Tx Only: Port mirroring on outgoing packets.
Tx and Rx: Port mirroring on both incoming and outgoing packets.
N/A: Traffic from this port is not mirrored.
If VLAN is selected, select a source VLAN.
VLAN: Select a VLAN as the source VLAN.

RSPAN VLAN: Select the VLAN to be used to copy traffic to another device.
This VLAN should be same as the VLAN defined in the RSPAN VLAN ID field.
Destination Port: Select the analyzer port as the destination for the copied packets.
Allow Ingress Packets: Select Enable to enable the destination port to receive ingress packets that are not copied.
Click Apply.
This updates the running configuration.
See SG220-50P Switch documentation on the vendor website to learn more about configuring port mirroring on the Cisco SGxxx Series devices.
The Dell Networking Force10 Switches support port monitoring on both physical and logical interfaces, such as a virtual local area network (VLAN) and port channel. The monitored (the source) and monitoring ports (the destination) must be on the same switch.
To configure the device
Enter configuration mode:
#configure
Enter the destination port to use for the monitoring session, and confirm that it has no configuration:
#interface te 0/2
Remove any IP addresses that may have previously been configured:
#no ip address
Enable the port:
#no shutdown
Exit the destination port interface:
#exit
Set up and identify the session number (range is from 0 - 65535):
#monitor session 0
Configure the source, the port you want to monitor, the destination port you want to send the monitored packets to, and the direction (both, Rx, or Tx):
#source te 0/1 destination te 0/2 direction both
Verify that port monitoring is active:
#show monitor session 0
You can configure port mirroring on the SonicWALL NSA 2400MX to send a copy of network packets seen on one or more switch ports (or on a virtual local area network [VLAN]) to another switch port, called the mirror port. By connecting to the mirror port, you can monitor the traffic passing through the mirrored ports.
Note: A VLAN trunk port can be mirrored, but cannot act as a mirror port itself.
To create a new port mirroring group
Go to Switching > Port Mirroring.
Click New Group.
In the Edit Mirror Group dialog box, enter a descriptive name for the group into the Interface Group Name field.
For Direction, select one of the following:
ingress — Monitors traffic arriving on the mirrored ports.
egress — Monitors traffic being sent from the mirrored ports.
both — Monitors traffic in both directions on the mirrored ports.
In the All Interfaces list, select the port to use to mirror the traffic, then click the upper right-arrow button to move it to the Mirror Port field.
You must use an unassigned port as the mirror port.
In the All Interfaces list, select one or more ports to monitor, and click the lower right-arrow button to move them to the Mirrored Ports field.
You will be able to monitor traffic on the mirrored ports by connecting to the mirror port.
Select the Enable checkbox to enable port mirroring for these ports.
Click OK.
This procedure explains how to configure Fortinet FortiGate switches for port mirroring on models with built-in hardware switches (for example, the FortiGate-100D, 140D, and 200D), using the Switch Port Analyzer (SPAN) feature.
To configure SPAN through the CLI
Enter the following:
config system virtual-switch
edit <port>
set span enable
set span-source-port <port>
set span-dest-port <port>
set span-direction {both | Tx | Rx}
end
end
To configure SPAN through the web UI
Go to System > Network > Interfaces.
Edit a hardware switch interface.
By default, the system may have a hardware switch interface called a LAN. You can also create a new hardware switch interface.
Select the SPAN checkbox, then select a source port from which you want traffic mirrored.
Select one of the following:
Traffic received
Traffic sent
Both
See the Knowledge Base article on the vendor website to learn more about configuring port mirroring on Fortinet-FortiGate Switches.
Getting Started with VPC Traffic Mirroring
Let’s review the key elements of VPC Traffic Mirroring and then set it up:
Mirror Source – An AWS network resource that exists within a particular VPC, and that can be used as the source of traffic. VPC Traffic Mirroring supports the use of Elastic Network Interfaces (ENIs) as mirror sources.
Mirror Target – An ENI or Network Load Balancer that serves as a destination for the mirrored traffic. The target can be in the same AWS account as the Mirror Source, or in a different account for implementation of the central-VPC model that I mentioned above.
Mirror Filter – A specification of the inbound or outbound (with respect to the source) traffic that is to be captured (accepted) or skipped (rejected). The filter can specify a protocol, ranges for the source and destination ports, and CIDR blocks for the source and destination. Rules are numbered, and processed in order within the scope of a particular Mirror Session.
Traffic Mirror Session – A connection between a mirror source and target that makes use of a filter. Sessions are numbered, evaluated in order, and the first match (accept or reject) is used to determine the fate of the packet. A given packet is sent to at most one target.
You can set this up using the VPC Console, EC2 CLI, or the EC2 API, with CloudFormation support in the works. I’ll use the Console.
I already have ENI that I will use as my mirror source and destination (in a real-world use case I would probably use an NLB destination):
The MirrorTestENI_Source and MirrorTestENI_Destination ENIs are already attached to suitable EC2 instances. I open the VPC Console and scroll down to the Traffic Mirroring items, then click Mirror Targets:
I click Create traffic mirror target:
I enter a name and description, choose the Network Interface target type, and select my ENI from the menu. I add a Blog tag to my target, as is my practice, and click Create:
My target is created and ready to use:
Now I click Mirror Filters and Create traffic mirror filter. I create a simple filter that captures inbound traffic on three ports (22, 80, and 443), and click Create:
Again, it is created and ready to use in seconds:
Next, I click Mirror Sessions and Create traffic mirror session. I create a session that uses MirrorTestENI_Source, MainTarget, and MyFilter, allow AWS to choose the VXLAN network identifier, and indicate that I want the entire packet mirrored:
And I am all set. Traffic from my mirror source that matches my filter is encapsulated as specified in RFC 7348 and delivered to my mirror target. I can then use tools like Suricata to capture, analyze, and visualize it.
Things to Know
Here are a couple of things to keep in mind:
Sessions Per ENI – You can have up to three active sessions on each ENI.
Cross-VPC – The source and target ENIs can be in distinct VPCs as long as they are peered to each other or connected through Transit Gateway.
Scaling & HA – In most cases you should plan to mirror traffic to a Network Load Balancer and then run your capture & analysis tools on an Auto Scaled fleet of EC2 instances behind it.
Bandwidth – The replicated traffic generated by each instance will count against the overall bandwidth available to the instance. If traffic congestion occurs, mirrored traffic will be dropped first.