Hi cn187, thank you for your response.
You're (obviously) correct that typically one might have the drivers strip VLAN information assuming the NIC is configured to do so.
That's actually one of the first things I tried while investigating why I couldn't get showeq to work.
That's when I discovered that some of the traffic hitting my interface was untagged, so even if I created a VLAN interface, which would strip the tags from that traffic, I only had some of the traffic on a single interface.
The problem comes down to my network switch, made by TP-LINK, which when doing port mirroring, doesn't care what the settings are on the destination port. Other switches, such as more advanced Cisco switches, allow you to configure the behavior on a mirror port.
So for example, ideally assuming I had "VLAN 5" traffic getting mirrored, I could set the destination port to VLAN 5 and then it would strip the tags for me automatically at the switch. Unfortunately, this TP-LINK switch doesn't do that. It's mirroring traffic from an "access" port, so all the incoming traffic it mirrors is untagged, but the outgoing traffic (destined for the router) ends up tagged.
In addition, because this is mirror traffic, I don't have the dedicated NIC that is receiving the traffic connected to an actual network. It's got a link-local address since showeq requires an IP to bind to it, but the interface is getting sent all the packets it needs without requiring any IP binding at all (confirmed with wireshark).
One of the advantages of the implementation I proposed is that in theory I can combine multiple port mirrors into my single destination port, so I could have multiple different VLANs of mirrored traffic hitting my showeq's dedicated mirror NIC, and I could sniff eq sessions on any of them.
As far as testing, I created an offline packet capture and then replayed it while I was doing my testing. I would share it but I'm not sure of the privacy of the eq packets in my capture.
Please let me know if you have any other questions! So far my solution has been working great for me, and it's awesome being able to run it in a VM in a complex network.
Reply With Quote