1.將交換機流量鏡像到Hyper-V宿主的一塊網卡(eth4)
2.在Hyper-V宿主上新建虛擬交換機(Network_Mirror),選擇外部網絡,擴展屬性中啟用“Microsoft NDIS捕獲”,設置如下圖所示:
3.在已創建好的虛機上,選擇使用“Network_Mirror”虛擬交換機,然后在高級功能中,鏡像模式選擇“目標”,即該虛機用來接收鏡像流量
4.選擇流量來源,在Hyper-V宿主上運行PowerShell命令:
$VMSwitchPortFeature = Get-VMSystemSwitchExtensionPortFeature -FeatureName 'Ethernet Switch Port Security Settings' #選擇擴展功能 - 交換機端口安全設置“類” $VMSwitchPortFeature.SettingData.MonitorMode = 2 #MonitorMode參數說明(0 = 無, 1 = 目標, 2 = 來源) Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName 'Network_Mirror' -VMSwitchExtensionFeature $VMSwitchPortFeature #將該功能加入到該虛擬交換機
注:All traffic hitting the hyper-v Host is also hitting the external port of the virtual switch. However for the NIC on the VM to get these packets, we need to now “mirror” this Switch port (on the Virtual switch) to let him know that he has to forward the packets onto the “DESTINATION” we had configured earlier.
5.在虛機(CentOS)上運行命令監控鏡像流量:
tcpdump -i eth1 -w /tmp/a.txt
運行tail -f tmp/a.txt 可以看到捕獲到的鏡像流量
附:
參考:
https://blogs.technet.microsoft.com/networking/2015/10/16/setting-up-port-mirroring-to-capture-mirrored-traffic-on-a-hyper-v-virtual-machine/
https://dotblogs.com.tw/terrychuang/2015/01/19/148176