VMware port mirroring session question

[lravelo]

I'm standing up a new SO environment and will be running a bare metal forward node. I need to be able to capture all traffic in and out of a specific VM for some troubleshooting but all of the traffic that I'm interested in looking at is all L2. Is it possible to use the Encapsulated Remote Mirroring (L3) Source port mirroring session type (not sure if the sniffing interface on the forward node can be IP'd)? The only reason I'm curious about this is because I run Cisco UCS blades and the uplinks in VMware are actually virtual interfaces and I'm not sure the traffic will reach the physical interfaces connected to our core switches. I'm open to alternative suggestions about how to make this work.

Thanks in advance.

[InfosecGoon]

Would it be possible to mirror the desired traffic to a physical interface on your VMWare infrastructure and then connect it to a monitoring interface on the forward node?

The reason I'm asking is that if you're looking for L2 traffic, you probably want to pull it out of steno, and things get a little hairy in there trying to differentiate between tunnel IPs and actual traffic IPs when retrieving captures. I believe Zeek and Suri can decapsulate the traffic natively but it doesn't sound like that's your use case.

--Matt

[lravelo]

I mean I probably could but it seems so overly complex to do something like that. It would basically go from the distributed port in question over to one of the host uplinks, the host uplinks are actually virtual interfaces on my UCS chassis so will need to do another port mirroring session there to send the traffic to the physical uplinks, then configure port mirroring on my Nexus 9k and point it to the interface that the forward node's sniffing interface is plugged into.

It would be awesome if I could just configure an IP on the sniffing interface and then just have VMware send all the traffic there. I tried to IP it but it wouldn't take so I figured that it isn't as trivial.

[InfosecGoon]

If you have an additional interface in the forward node, you may be able to do something like this:

http://brezular.com/2015/05/03/decapsulation-erspan-traffic-with-open-source-tools/

This is a few years old, obviously, so it's not about the current version of Security Onion, but the technique is basically to IP an interface, send the tunneled traffic to it, and then create a virtual interface on the other end of a decapsulation process. If that works, you should be able to add the virtual interface to the monitoring bond interface in SO with so-monitor-add.

I haven't tested this - I would strongly recommend trying it in a non-production environment first. Maybe spin up another forward node in a VM just for this purpose.

[lravelo]

I will give this a shot and see if it works. Thank you for this! Something like this is exactly what I was looking for albeit I was hoping that I didn't have to spare another interface for it.