An interesting network tool available within the AWS network VPC is traffic mirroring. Traffic mirroring allows copying traffic from a particular ENIs (Elastic network interface) to a particular destination. A traffic mirror session needs to be created but the following items are required to complete the traffic mirror session:

  • A source network interface
  • A Target mirror destination
  • A Filter to define the network traffic that requires copying. If no rules are added no traffic is mirrored

Identifying the network interface ID required

  1. Go to the EC2 menu and choose Instances under the Instances section.
  1. Choose the required instance and click the Networking tab
  1. Scroll down the Network Interfaces section and take note of the Interface ID. Repeat the process if multiple Interfaces are needed.

Creating the traffic mirroring target

  1. Choose the Mirror target from the Traffic Mirroring section of the VPC services menu.

  1. Click Create traffic mirror filter option
  1. Enter the name of the target required and choose the appropriate target required, in this case, a Network Interface is used.
  1. Choose the appropriate network interface required.
  1. Add any tags needed and click Create

Once the target mirror is created, a similar output should be visible

Creating the traffic mirroring filter

  1. Choose the Mirror filters from the Traffic Mirroring section from the VPC services menu
  1. Click Create traffic mirror filter option
  1. Enter the name and description of the traffic mirror filter. If you require to capture network services traffic, including DNS resolution to Amazon DNS services click the amazon-dns tick box
  1. Click Add rule in the Inbound rules section if you want to capture inbound traffic.
  1. Enter the following details to capture the required traffic:
  • The number is used for rule prioritization. The lowest value is the preferred value. You change the priority using the sort rules options
  • Rule action can either be Accept or Reject
  • Protocol selected can be All protocols or specific ones such as TCP, UDP, and ICMP. (Note these are protocols, not applications)
  • Source/Destination port ranges can be a specific number or whole rang
  • Source/Destination CIDR block refers to Source and Destination IPs
  • Description refers to a reference for the specific rule.

and Click Add rule

As an example of the rules syntax, to mirror inbound HTTP traffic

whilst in this example, HTTP will be dropped, but HTTPS will be mirrored

  1. Repeat the process for the outbound rules if required.
  1. Click on Add new tag option if any tags are required otherwise, click on the Create button.
  1. Once created, click on the Close button.

Creating the traffic mirroring session

  1. Choose the Mirror session from the Traffic Mirroring section from the VPC services menu
  1. Click Create traffic mirror session option
  1. Enter the Name and description for the traffic monitor session
  1. Enter Mirror source network interface and the previously created mirror target
  1. Enter the session number and the VNI number associated with the session
  1. Leave the packet length setting as default and choose the previously created filter
  1. Click Add new Tag if tagging is required and then click Create

Once create a similar output should be visible

View the mirrored traffic

The traffic copied is using VXlan encapsulation (RFC 7348) which requires decapsulation from the destination tool used to analyze the traffic. In this case, i will use tcpdump and will capture traffic on the Vxlan listening port which is udp 4789 and save the capture into a pcap file called mycapture

On a Linux machine run sudo tcpdump -nni <interface> -vvv udp dst port 4789 -w mycapture.pcap

On a Windows machine you can use wireshark which can be installed from https://www.wireshark.org/download.html

Other tools which can be used include Zeek or Suricata, Netscout, JASK, can be used to analyze the captured traffic. A good list of tools that can be used be found at https://aws.amazon.com/blogs/aws/new-vpc-traffic-mirroring/

Monitoring the mirrored traffic

Cloudwatch support multiple metric which include the number of bytes for Network mirror in/out and the number of incoming/outgoing packets. There are also the same metrics available for the number of packets and bytes for skipped mirror traffic.