Turn your PC (OS linux) with multiple interfaces into a filtered tap.
Connect your PC eth0 to a span/monitor port on your switch
Connnect a Sniffer, APM, IDM or IPS to eth1, eth2 and/or eth3
1. set eth0 promiscious
ifconfig eth0 promisc
2. set eth0 to accept data
tc qdisc add dev eth0 ingress
3.a. Filter ip traffic on eth0 and copy it to eth1
tc filter add dev eth0 parent ffff: protocol all u32 match ip dst 8.8.8.8 action mirred egress mirror dev eth1
tc filter add dev eth0 parent ffff: protocol all u32 match ip src 8.8.8.8 action mirred egress mirror dev eth1
repeat step 3 for eth2 and eth3 with a different ip dst/src address
3.b. Filter based on MAC address (aabbccddeeff)
-
-
- ip traffic (0x800) for destination 0axaabbccddeeff
- tc filter add dev eth0 parent ffff: protocol all u32 match u16 0x800 0xFFFF at -2 match u32 ccddeeff 0xFFFFFFFF at -12 match u16 0xaabb 0xFFFF at -14 action mirred egress mirror dev eth1
- ip traffic (0x800) for source mac 0xaabbccddeeff
- tc filter add dev eth0 parent ffff: protocol all u32 match u16 0x800 0xFFFF at -2 match u16 0xeeff 0xFFFF at -4 match u32 0xaabbccdd 0xFFFFFFFF at -8 action mirred egress mirror dev eth1
- ip traffic (0x800) for destination 0axaabbccddeeff
-
check filter: tc -s -d filter show dev eth0 ingress
delete filters at once and start over: tc qdisc del dev eth0 ingress