I recently had a requirement to mirror a port from a physical machine to a virtual machine. Initially I thought it would be pretty trivial, but when I came to implement it, it turned out to be less than straightforward. While it certainly is possible, in a complex data center environment there can be a lot of changes that need to be made which might make it an unattractive option.


If the distribution switch you are using happens to support erspan, then you can set that up and send all the traffic to the VM directly. Your traffic will have the GRE header attached to the packet, but for many applications this may be acceptable. In our case it was not, so I wrote a filter driver using WinpktFilter to strip all the GRE headers off before being passed up the stack to the protocol drivers.

In our case, we also didn't have a switch that supported erspan. So I wrote another filter driver which takes all the packets arriving on an interface, wraps them up in an GRE packet and spits them out the same or different interface. You can put this tunneling application either on the source machine itself or a dedicated machine that has the source machine mirrored to it using a regular switch port mirror - this way you can avoid modifying the source machine at all if it is running critical production processes. The source for both filters is at
https://github.com/Raggles/gremirror - gretunnel tunnels the packets and grestrip strips the GRE headers at the other end. This solution works well with the winpcap driver because winpcap is a protocol driver whereas WinpktFilter is a intermediate driver/LWP Filter driver (depending on OS). I haven't yet tested with npcap, so I'm unsure whether npcap will see the packets before or after they have the GRE headers removed.

