Contents x
    Traffic mirroring for VM
    • 23 Aug 2023
    • 9 Minutes to read
    • PDF
    Contents

    Traffic mirroring for VM

    • Updated on 23 Aug 2023
    • 9 Minutes to read
    • PDF
    Article Summary

    Traceable provides a script for setting up traffic-mirroring on a virtual machine. The script installs and runs two services. The first service collects and sends the mirrored traffic to the Traceable Platform agent. The second service, namely, Traceable Platform agent, sends the mirrored traffic to the Traceable Platform. Both these services run using systemctl. Traceable also supports traffic mirroring in an airgapped environment. 

    systemctl is a command-line utility for controlling the systemd system and service manager on Linux operating systems. It provides several commands for managing systemd units, which are the building blocks of a systemd-based system. systemd is a system and service manager for Linux operating systems. It provides a standard process for controlling what programs run when a Linux system boots up. For more information on systemctl, see How to use systemctl to manage Linux services.

    Download

    To download the script, go to Traceable's download site. Navigate to install → traffic-mirroring → linux → latest. Click on the install.sh script to download it, or enter the following command in your terminal:

    curl -O https://downloads.traceable.ai/install/traffic-mirroring/linux/latest/install.sh

    Provide the execute permission to the script. Enter the following command:

    chmod +x install.sh

    Installation

    The installation script is a utility to install and configure traffic-mirroring components. It can be used as follows:

    sudo ./install.sh Subcommand Arguments [Optional-Arguments]

    The sub-commands for the script are:

    mirror      Uses packet capture for data collection
ebpf        Uses eBPF for data collection
tpa-only    Install Traceable Platform Agent (TPA) only
ebpf-only   Install eBPF only
cleanup     Remove Traceable deployments
help        Prints help

    mirror

    The mirror sub-command installs the Traceable Platform agent and Suricata and runs them as systemctl services. The service that you are mirroring traffic from can be either encrypted or unencrypted. For more details of this command (synopsis, example usages, argument descriptions) enter the following:

    ./install.sh mirror help

    The mirror command has the following syntax:

    ./install.sh mirror -e ENVIRONMENT -s SERVICE_NAME [-r REMOTE_ENDPOINT]
    [-i INTERFACE | --all-interfaces] [-f FILTER_OPTION] [-t] [--no-download]
    [--remote-cert-path ROOT_CA_CERT]
    [--enable-tls-capture [--run-non-tls-server] [--server-port SERVER_PORT]]

    The following table explains the usage of the command arguments:

    Argument

    Mandatory

    Description

    -s SERVICE_NAME

    Yes

    Service name for the mirrored traffic.

    -e ENVIRONMENT

    Yes

    Environment name for the mirrored traffic.

    -r REMOTE_ENDPOINT

    No

    Remote endpoint for Traceable Platform Agent. If this is no configured, then it defaults to api.traceable.ai.

    -f FILTER_OPTION

    No

    Custom filter option for mirroring. Defaults to "not host VM_IP"

    -t | --token

    No

    Prompt for Traceable token for authentication. Check token for more details.

    --remote-cert-path ROOT_CA_CERTNoRoot CA used to sign certificate for the Traceable Platform Agent.

    --no-download

    No

    Use local packages to install Traceable and its components. For more information, see Airgapped installation.

    Provide exactly one of the following arguments:

    ArgumentDescription

    -i INTERFACE

    		Comma separated list of interface IDs for the mirrored traffic.
    --all-interfacesMirror traffic from all the interfaces.
    Note
    This flag is incompatible with the --enable-tls-capture flag.

    Mirroring with SSL/TLS

    If your mirrored service is using SSL/TLS protocol, then in-addition use the following arguments:

    Argument

    Mandatory

    Description

    --enable-tls-capture

    Yes

    Capture traffic encrypted with TLS/SSL.

    --run-non-tls-server

    No

    Run Traceable without TLS. By default, Traceable server uses TLS encryption.

    --server-port PORT 

    No

    Port where a TCP server runs when you enable TLS capture. Master keys are sent to this TCP server in standard format.

    mirroring example

    Following are a few examples of using the mirror sub-command:

    • If your service is running on eth0 interface, you can use the following command:
      ActionScript
      sudo ./install.sh mirror -i eth0 -e myEnvironment -s myService -t
    • If your service is running with TLS, you can use the following command:
      ActionScript
      sudo ./install.sh mirror -i eth0 -e myEnvironment -s myService -t --enable-tls-capture

    ebpf

    The ebpf sub-command installs the Traceable Platform agent and eBPF and runs them as systemctl services. For more details of this command (synopsis, example usages, argument descriptions) enter the following:

    ./install.sh ebpf help

    The command has the following syntax:

    ./install.sh ebpf -e ENVIRONMENT -s SERVICE_NAME [-r REMOTE_ENDPOINT]
    [-P PORTS] [-S SSL_DIRS] [-E EXCLUDE_PROCESSES] [--mode MODE]
    [-R MAX_RETURN_PROBES] [--remote-cert-path ROOT_CA_CERT] [-t]
    [--tpa-loglevel TPA_LOGLEVEL] [--tpa-log-max-size-mb TPA_LOGSIZE] 
    [--tpa-log-max-backups TPA_LOGCOUNT] [--ebpf-loglevel EBPF_LOGLEVEL]
    [--ebpf-log-max-size-mb EBPF_LOGSIZE] [--ebpf-log-max-backups EBPF_LOGCOUNT] 
    [--no-download]

    The following table explains the usage of the command arguments:

    Argument

    Mandatory

    Description

    -s SERVICE

    Yes

    Service name for the mirrored traffic.

    -e ENVIRONMENT

    Yes

    Environment name for the mirrored traffic.

    -r REMOTE_ENDPOINT

    No

    Remote endpoint for Traceable Platform agent.

    -P PORTS

    No

    Comma-separated list of ports that you wish to track.

    -S SSL_DIRS

    No

    Comma-separated list of SSL directories. 

    -E EXCLUDE_PROCESSES

    No

    Comma-separated list of process names that you wish to exclude from tracking.

    --mode MODENo

    Traffic type to be captured. MODE can take the following values:

    • ingress: capture all ingress traffic for given PORTS
    • egress: capture all egress traffic for given PORTS
    • ingress_and_egress: capture all ingress as well as egress traffic for given PORTS.

    The default value is ingress.

    -R MAX_RETURN_PROBES 

    No

    Maximum number of return probes.

    -t | --token

    No

    Prompt for Traceable Token for authentication. Check token for more details.

    --remote-cert-path PATHNoRoot CA used to sign certificate for the Traceable Platform Agent.
    --tpa-loglevel TAP_LOGLEVELNoLogging level for the Traceable service. The allowed values are info, warn, error, and debug. The default value is info.
    --tpa-log-max-size-mb TPA_LOGSIZE
    		No
    		Maximum log file size in MB created by the Traceable service. The default value is 10 MB.
    --tpa-log-max-backups TPA_LOGCOUNT
    		No
    		Maximum number of backup log files created by the Traceable service. The default value is 10.
    --ebpf-loglevel EBPF_LOGLEVEL
    		No
    		Logging level for the eBPF service. The allowed values are info, warn, error, debug and trace. The default value is info.
    --ebpf-log-max-size-mb EBPF_LOGSIZE
    		No
    		Maximum log file size in MB created by the eBPF service. The default value is 10 MB.
    --ebpf-log-max-backups EBPF_LOGCOUNT
    		No
    		Maximum number of backup log files created by the eBPF service. The default value is 10.
    --no-downloadNoUse local packages to install Traceable and its components. For more information, see Airgapped installation.

    ebpf examples

    Following are a few examples of using the ebpf sub-command:

    • If you wish to capture all the traffic, use the following command:
      ActionScript
      sudo ./install.sh ebpf -e myEnvironment -s myService -t
    • If you wish to capture traffic from a specific process or a set of processes, use the following command. In the example below, data is captured from ports 8080 and 9001.
      ActionScript
      sudo ./install.sh ebpf -e myEnvironment -s myService -P 8080,9001 -t

    ebpf-only

    The ebpf-only sub-command installs only the eBPF solution and runs them as systemctl services. For more details of this command (synopsis, example usages, argument descriptions) enter the following:

    ./install.sh ebpf-only help

    The command has the following syntax:

    ./install.sh ebpf-only -s SERVICE_NAME --tpa-endpoint ENDPOINT [-P PORTS]
    [-S SSL_DIRS] [-E EXCLUDE_PROCESSES] [-R MAX_RET_PROBES] [--mode MODE]
    [--tls-root-cert ROOT_CA_CERT] [--reporting-port REPORTING_PORT]
    [--remote-port REMOTE_PORT] [--exporter EXPORTER] [--loglevel LOGLEVEL]
    [--log-max-size-mb SIZE] [--log-max-backups COUNT] 
    [--no-download]

    The following table explains the usage of the command arguments:

    Argument

    Mandatory

    Description

    -s SERVICE_NAME

    Yes

    Service name for the mirrored traffic.

    --tpa-endpoint ENDPOINT

    Yes

    Endpoint of Traceable Platform Agent. 

    -P PORTS

    No

    Comma-separated list of ports that you wish to track.

    -S SSL_DIRS 

    No

    Comma-separated list of SSL directories. 

    -E EXCLUDE_PROCESSES

    No

    Comma-separated list of process names to be excluded from tracking.

     -R MAX_RETURN_PROBES

    No

    Maximum number of return probes. The default value is 1.

    --mode MODENo

    Traffic type to be captured. MODE can take the following values:

    • ingress: capture all ingress traffic for given PORTS
    • egress: capture all egress traffic for given PORTS
    • ingress_and_egress: capture all ingress as well as egress traffic for given PORTS.

    The default value is ingress.

    --tls-root-cert ROOT_CA_CERTNoRoot CA used to sign certificate for Traceable Platform Agent. eBPF uses this to validate Traceable Platform Agent's certificate. If this value is provided, eBPF uses TLS encryption for data sent to the Traceable Platform Agent.

    --reporting-port REPORTING_PORT

    No

    		Reporting endpoint port of Traceable Platform Agent. If --tls-root-cert is provided, the default value is 5443. Otherwise, the default value is 4317.

    --remote-port REMOTE_PORT

    		NoRemote endpoint port of Traceable Platform Agent. If --tls-root-cert is provided, the default value is 5443. Otherwise, the default value is 5441.
    --exporter EXPORTERNo

    eBPF span exporter. Allowed values are ZIPKIN and OTLP. The default exporter is OTLP.

    --loglevel LOGLEVELNoLogging level for the eBPF service. The allowed values are info, warn, error, debug and trace. The default value is info.
    --log-max-size-mb SIZE
    		No
    		Maximum log file size in MB created by the eBPF service. The default value is 10 MB.
    --log-max-backups COUNT
    		No
    		Maximum number of backup log files created by the eBPF service. The default value is 10.
    --no-downloadNo

    Use local packages to install Traceable and its components. For more information, see Airgapped installation.

    ebpf-only examples

    Following are a few examples of using the ebpf-only sub-command:

    • If your Traceable Platform agent is running on IP address 10.120.0.3, and you wish to install eBPF solution and send the mirrored traffic to the Traceable Platform agent, use the following command:
      ActionScript
      sudo ./install.sh ebpf-only -s myService --tpa-endpoint 10.120.0.3
    • If your Traceable Platform agent is running with TLS server on 10.120.0.3 and you have your root CA at /path/to/root/ca, then you can enable TLS encryption for the traffic sent from eBPF to Traceable Platform agent as well. Enter the following command:
      ActionScript
      sudo ./install.sh ebpf-only -s myService --tpa-endpoint 10.120.0.3 --tls-root-cert /path/to/root/ca

    tpa-only

    The tpa-only sub-command installs the Traceable Platform agent and runs it as a systemctl service. For more details of this command (synopsis, example usages, argument descriptions) enter the following:

    ./install.sh tpa-only help

    The command has the following syntax:

    ./install.sh tpa-only -e ENVIRONMENT [-s SERVICE_NAME] [-r REMOTE_ENDPOINT]
    [--loglevel LOGLEVEL] [--remote-cert-path ROOT_CA_CERT] [-t]
    [--log-max-size-mb SIZE] [--log-max-backups COUNT] [--no-download]
    [--tls-endpoint ENDPOINT --tls-key KEY --tls-cert CERT --tls-root-cert ROOT_CA_CERT]

    The following table explains the usage of the command arguments:

    Argument

    Mandatory

    Description

    -e ENVIRONMENT

    Yes

    Environment name for the mirrored traffic.

    -s SERVICE_NAME

    No

    Service name for the mirrored traffic.

    -r REMOTE_ENDPOINT

    No

    Remote endpoint for Traceable Platform agent. 

    --loglevel LOGLEVEL

    		NoLogging level for the Traceable service. The allowed values are info, warn, error, and debug. The default value is info.
    --remote-cert-path ROOT_CA_CERTNoRoot CA used to sign certificate for the Traceable Platform Agent.

    -t | --token

    No

    Prompt for Traceable token for authentication. Check token for more details.

    --log-max-size-mb SIZE
    		No
    		Maximum log file size in MB created by the Traceable service. The default value is 10 MB.
    --log-max-backups COUNT
    		No
    		Maximum number of backup log files created by the eBPF service. The default value is 10.
    --no-download
    		No

    Use local packages to install Traceable and its components. For more information, see Airgapped installation.

    Traceable Platform agent with TLS

    You can choose to enable TLS server on Traceable Platform agent. The following arguments enable TLS:

    Argument

    Mandatory

    Description

    --tls-endpoint ENDPOINT

    Yes

    TLS Endpoint of Traceable Platform agent.

    --tls-key KEY

    Yes

    Path to the private key for Traceable Platform agent.

    --tls-cert CERT

    Yes

    Path to the certificate file for Traceable Platform agent.

    --tls-root-cert ROOT_CA_CERT

    Yes

    Path to the root CA file for Traceable Platform agent. 

    tpa-only examples

    Following are a few examples of using the tpa-only sub-command:

    • If you wish to install Traceable Platform Agent without TLS server, enter the following command:
      ActionScript
      sudo ./install.sh tpa-only -e myEnvironment -t
    • If you wish to set up a TLS server with endpoint as 0.0.0.0:5443, enter the following command:
      ActionScript
      sudo ./install.sh tpa-only -e myEnvironment -t --tls-endpoint 0.0.0.0:5443 --tls-key /path/to/key --tls-cert /path/to/cert --tls-root-cert /path/to/root/ca

    Uninstallation

    Enter the following command to uninstall. Note that install script is used for both installation and uninstallation.

    sudo ./install.sh cleanup

    eBPF with centralized Traceable Platform agent

    When you use the ebpf subcommand for installation, the eBPF and Traceable Platform Agent are deployed on the same machine. eBPF starts capturing traffic and sends it to the agent. To streamline the forwarding process, you may opt to run a central agent, to which all machines with eBPF can send mirrored traffic. This can be accomplished in two simple steps:

    1. Run the installation script with the tpa-only subcommand on the virtual machine (VM) where you wish to install the central agent.
    2. Run the installation script with the ebpf-only subcommand on all other VMs hosting your services.

    If you wish to ensure secure communication between the VM capturing traffic and the central agent, follow these additional steps:

    1. Enable the TLS server during installation with the tpa-only subcommand.
    2. Use the same root CA certificate for all ebpf-only installations.

    Airgapped installation

    Traceable provides a script for setting up traffic-mirroring in an airgapped environment. An airgapped system is a computer or network that is physically isolated from the internet and other unsecured networks. This type of system is used to protect sensitive data and systems from external threats such as hackers and malware. Airgapped systems are often used in industries where data security is of the utmost importance.

    For airgapped installation, Traceable provides two archives, one for amd64 machines and the other for arm64 machines. To download the archive, go to Traceable's download site. Navigate to install → traffic-mirroring → linux → latest. 

    Transfer the downloaded archive to your airgapped system. Untar the archive by entering the following command, for example, for an amd64 machine:

    tar xvzf traffic-mirroring-amd64.tar.gz

    Change directory:

    cd traffic-mirroring-amd64/bin/

    The bin directory contains install.sh.

    To install, run any sub-command as mentioned in the Installation section by adding the --no-download option. This option uses the local packages from the tar file to complete the installation instead of being dependent on the network.

    Token

    When installing the Traceable Platform Agent, you must provide the platform token to authenticate with the platform. This can be done in multiple ways.

    • Export the token as an environment variable:
      ActionScript
      export TA_REFRESH_TOKEN=""
    • Put the token in default token file:
      ActionScript
      echo "" | sudo tee /etc/traceable/agent/token
    • Provide the command-line flag -t or --token and enter the token when prompted.
    Was this article helpful?
    What's Next
    ©2023 Traceable Inc
    terms of services
    privacy policy
    oss disclosures