Possible to port mirror or duplicate packets?
-
I have a strange question…
Is it possible to "port mirror" or duplicate packets using pfSense?
For example, whenever packets match a certain filter (i.e. TCP ADDR 192.168.0.25, port 80), duplicate that packet to another IP address, etc.
Does that make sense? It's sorta like a poor-man's port filtering.
-
What are you trying to do with the duplicated packet?
I do this at the switch level - Cisco calls it "port monitoring". I had ntop installed on pfsense and connected to the mirrored port on the switch.
-Lou
-
Yeah, I'm having a problem with my switch. It's a Dell PowerConnect 2824 managed switch, and it supports port mirroring, but on my "low end" model it doesn't allow mirroring if VLANs are enabled which I use.
What I'm trying to do is send any SIP INVITE packets to a sniffer application to read the caller id and broadcast it on my network (for call notifications, etc).
I'd rather not setup a full SIP proxy or anything… The SIP sniffer I have already reads caller id so I just need to get those packets to my sniffer and my VOIP adapter (of course).
-
Not sure if you can do it with just one port, but if you bridge two ports together you can add a third port as a "span" port and it receives copies of every frame transmitted across the bridge.
-
I'm still somewhat of a pfsense newbie, but since there is no obvious "rule" (would be nice if there was PASS, BLOCK, REJECT, MIRROR :) ), not sure if can do this. You could "rig" it up in a pinch using a hub…... I know, far less than ideal but if it limps you along in the meantime while you figure something else out, it's worth contemplating at the least.