Member-only story
Make the AWS VPC mirror traffic without a VXLAN header and filter packets like normal traffic in Wireshark.
Intro
In an AWS VPC, if we need to do traffic mirroring to check the packets on the ENI of EC2, we would like to use VPC traffic mirroring to mirror the traffic from the source ENI and send it to the ENI of the monitor host. This can help us to understand if the packets have been sent out from ENI or received on ENI.
How it work?
When we are setting the VPC traffic mirroring, we will need to define following things.
- Source — The network interface to monitor.
- Filter — A set of rules that defines the traffic that is mirrored.
- Target — The destination for mirrored traffic.
- Session — Establishes a relationship between a source, a filter, and a target.
A traffic mirror target is the destination for mirrored traffic. The mirror target can be
- ENI of EC2
- Network Load Balancer
- Gateway Load Balancer endpoint
If you use Wireshark or Tcpdump to capture packets, you will see the mirrored packets is encapsulated with VXLAN tunnel.
