- 30 Sep 2024
- 16 Minutes to read
- Print
- PDF
Traffic mirroring for VM
- Updated on 30 Sep 2024
- 16 Minutes to read
- Print
- PDF
Traceable provides a script for setting up traffic mirroring on a virtual machine. The script installs and runs two services. The first service collects and sends the mirrored traffic to the Traceable Platform agent. The second service, the Traceable Platform agent, sends the mirrored traffic to the Traceable Platform. Both these services run using systemctl
. Traceable also supports traffic mirroring in an airgapped environment.
systemctl
is a command-line utility for controlling the systemd
system and service manager on Linux operating systems. It provides several commands for managing systemd
units, which are the building blocks of a system-based system. systemd
is a system and service manager for Linux operating systems. It provides a standard process for controlling what programs run when a Linux system boots up. For more information on systemctl
, see How to use systemctl to manage Linux services.
Download
To download the script, go to Traceable's download site. Navigate to install → traffic-mirroring → linux → latest. Click on the install.sh
script to download it, or enter the following command in your terminal:
curl -O https://downloads.traceable.ai/install/traffic-mirroring/linux/latest/install.sh
Provide the execute permission to the script. Enter the following command:
chmod +x install.sh
Installation
The installation script is a utility that installs and configures traffic-mirroring components. It can be used as follows:
sudo ./install.sh Subcommand Arguments [Optional-Arguments]
The sub-commands for the script are:
mirror Uses packet capture for data collection
ebpf Uses eBPF for data collection
tpa-only Install Traceable Platform Agent (TPA) only
ebpf-only Install eBPF only
cleanup Remove Traceable deployments
help Prints help
mirror
The mirror
sub-command installs the Traceable Platform agent and Suricata and runs them as systemctl
services. The service you are mirroring traffic from can be encrypted or unencrypted. For more details of this command (synopsis, example usages, argument descriptions), enter the following:
./install.sh mirror help
The mirror command has the following syntax:
./install.sh mirror -e ENVIRONMENT -s SERVICE_NAME [-r REMOTE_ENDPOINT]
[-i INTERFACE | --all-interfaces] [-f FILTER_OPTION] [-t] [--no-download]
[--otlp-exporter-sending-queue-size OTLP_EXPORTER_SENDING_QUEUE_SIZE]
[--otlp-file-storage-dir OTLP_FILE_STORAGE_DIR] [--tpa-loglevel TPA_LOGLEVEL]
[--tpa-log-max-size-mb TPA_LOGSIZE] [--tpa-log-max-backups TPA_LOGCOUNT]
[--tpa-max-memory TPA_MAX_MEM] [--mirror-max-memory MIRROR_MAX_MEM]
[--packet-capture-max-memory PACKET_CAPTURE_MAX_MEM]
[--set-memory-accounting] [--remote-cert-path ROOT_CA_CERT]
[--http-proxy HTTP_PROXY] [--https-proxy HTTPS_PROXY] [--no-proxy NO_PROXY]
[--enable-tls-capture [--run-non-tls-server | --tls-key KEY --tls-cert CERT]
[--server-port SERVER_PORT]]
The following table explains the usage of the command arguments:
Argument | Mandatory | Description |
---|---|---|
| Yes | The service name for the mirrored traffic. |
| Yes | Environment name for the mirrored traffic. |
| No | Remote endpoint for Traceable Platform Agent. If this is not configured, then it defaults to |
| No | Custom filter option for mirroring. Defaults to |
| No | Prompt for Traceable token for authentication. Check token for more details. |
| No | Root CA used to sign certificate for the Traceable Platform. |
| No | Use local packages to install Traceable and its components. For more information, see Airgapped installation. |
| No | OTLP exporter sending queue size (in batches) for traces and metrics. This config is also used for the sending queue size. The default is 1000. |
| No | OTLP file storage extension directory. This is to persist the retry queue for traces and metrics. Default value is |
| No | Logging level for the Traceable service. |
| No | The maximum size in MB for log files created by the Traceable service. The default value is 10. |
| No | The maximum number of backup log files created by the Traceable service. The default value is 10. |
| No | Maximum memory limit for traceable-agent service. Takes a memory size in bytes. If the value is suffixed with K, M, G, or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is taken relative to the installed physical memory on the system. |
| No | Maximum memory limit for mirror service. Takes a memory size in bytes. If the value is suffixed with K, M, G, or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is taken relative to the installed physical memory on the system. |
| No | Maximum memory limit for packet capture service. Takes memory size in bytes. If the value is suffixed with K, M, G, or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is taken relative to the installed physical memory of the system. |
| No | Set the MemoryAccounting value as |
| No | Used for setting proxy URL for HTTP requests until overwritten by |
| No | Used for setting proxy URL for HTTPS requests until overwritten by |
| No | Specifies a string that contains comma-separated values specifying hosts that should be excluded from proxying. |
Provide exactly one of the following arguments:
Argument | Description |
---|---|
| Comma-separated list of interface IDs for the mirrored traffic. |
| Mirror traffic from all the interfaces. Note This flag is incompatible with the |
Mirroring with SSL/TLS
If your mirrored service is using SSL/TLS protocol, then in addition, use the following arguments:
Argument | Mandatory | Description |
---|---|---|
| Yes | Capture traffic encrypted with TLS/SSL.
|
| No | Run Traceable without TLS. By default, the Traceable server uses TLS encryption. |
| No |
|
| No | Port where a TCP server runs when you enable TLS capture. Master keys are sent to this TCP server in a standard format. |
mirroring example
Following are a few examples of using the mirror
sub-command:
If your service is running on the eth0 interface, you can use the following command:
ActionScriptActionScript
sudo ./install.sh mirror -i eth0 -e myEnvironment -s myService -t
If your service is running with TLS, you can use the following command:
ActionScriptActionScript
sudo ./install.sh mirror -i eth0 -e myEnvironment -s myService -t --enable-tls-capture
ebpf
The ebpf
sub-command installs the Traceable Platform agent and eBPF and runs them as systemctl
services. For more details of this command (synopsis, example usages, argument descriptions), enter the following:
./install.sh ebpf help
The command has the following syntax:
./install.sh ebpf -e ENVIRONMENT -s SERVICE_NAME [-r REMOTE_ENDPOINT]
[-P PORTS] [-S SSL_DIRS] [-E EXCLUDE_PROCESSES] [--mode MODE]
[-R MAX_RETURN_PROBES] [--remote-cert-path ROOT_CA_CERT] [-t]
[--tpa-loglevel TPA_LOGLEVEL] [--tpa-log-max-size-mb TPA_LOGSIZE]
[--tpa-log-max-backups TPA_LOGCOUNT] [--ebpf-loglevel EBPF_LOGLEVEL]
[--ebpf-log-max-size-mb EBPF_LOGSIZE] [--ebpf-log-max-backups EBPF_LOGCOUNT]
[--no-download] [--enable-java-tls-capture] [--ebpf-max-memory EBPF_MAX_MEM]
[--tpa-max-memory TPA_MAX_MEM] [--set-memory-accounting]
[--ebpf-request-per-second-limit EBPF_REQUEST_LIMIT] [--ebpf-max-connection EBPF_MAX_CONNECTION]
[--ebpf-go-memory-limit EBPF_GO_MEMORY_LIMIT] [--otlp-max-connection-age OTLP_MAX_CONNECTION_AGE]
[--http-proxy HTTP_PROXY] [--https-proxy HTTPS_PROXY] [--no-proxy NO_PROXY]
[--tpa-max-cpu TPA_MAX_CPU] [--ebpf-max-cpu EBPF_MAX_CPU]
The following table explains the usage of the command arguments:
Argument | Mandatory | Description |
---|---|---|
| Yes | The service name for the mirrored traffic. |
| Yes | Environment name for the mirrored traffic. |
| No | Remote endpoint for Traceable Platform agent. |
| No | Comma-separated list of ports that you wish to track. |
| No | Comma-separated list of SSL directories. |
| No | Comma-separated list of process names that you wish to exclude from tracking. |
| No | Traffic type to be captured.
The default value is |
| No | Maximum number of return probes. |
| No | Prompt for Traceable Token for authentication. Check token for more details. |
| No | Root CA used to sign certificate for the Traceable Platform. |
| No | Logging level for the Traceable service. The allowed values are |
| No | The maximum log file size in MB created by the Traceable service. The default value is 10 MB. |
| No | Maximum number of backup log files created by the Traceable service. The default value is 10. |
| No | Logging level for the eBPF service. The allowed values are |
| No | Maximum log file size in MB created by the eBPF service. The default value is 10 MB. |
| No | Maximum number of backup log files created by the eBPF service. The default value is 10. |
| No | Use local packages to install Traceable and its components. For more information, see Airgapped installation. |
| No | Set it to |
| No | Maximum memory limit for the eBPF service. Takes a memory size in bytes. If the value is suffixed with K, M, G, or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is taken relative to the installed physical memory on the system. |
| No | Maximum memory limit for the Traceable service. Takes memory size in bytes. If the value is suffixed with K, M, G, or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, you can select the value as a percentage, which is taken relative to the installed physical memory on the system. |
| No | Set MemoryAccounting to |
| No | Sets the maximum number of requests the eBPF tracer would capture in a second. |
| No | Sets the maximum number of connections the eBPF tracer tracks at any given time. |
| No | This is the substitute for the Examples: 128974848, 129e6, 129M, 128974848000m, 123Mi |
| No | Sets the keepalive duration for the OTLP server in the Traceable Platform agent. The duration can be expressed as a string. The acceptable units are ns, us, s, m, and h. Example: 100ms = 100 milliseconds, 120s = 120 seconds, |
| No | Used for setting proxy URL for HTTP requests until overwritten by |
| No | Used for setting proxy URL for HTTPS requests until overwritten by |
| No | Specifies a string that contains comma-separated values specifying hosts that should be excluded from proxying. |
| No | Sets the maximum percentage of CPU that the Traceable Platform Agent (TPA) process is allowed to use. For example, |
| No | Sets the maximum CPU percentage for the eBPF process. For example, |
ebpf examples
Following are a few examples of using the ebpf
sub-command:
If you wish to capture all the traffic, use the following command:
ActionScriptActionScript
sudo ./install.sh ebpf -e myEnvironment -s myService -t
If you wish to capture traffic from a specific process or a set of processes, use the following command. In the example below, data is captured from ports 8080 and 9001.
ActionScriptActionScript
sudo ./install.sh ebpf -e myEnvironment -s myService -P 8080,9001 -t
ebpf-only
The ebpf-only
sub-command installs only the eBPF solution and runs them as systemctl
services. For more details of this command (synopsis, example usages, argument descriptions), enter the following:
./install.sh ebpf-only help
The command has the following syntax:
./install.sh ebpf-only -s SERVICE_NAME --tpa-endpoint ENDPOINT [-P PORTS]
[-S SSL_DIRS] [-E EXCLUDE_PROCESSES] [-R MAX_RET_PROBES] [--mode MODE]
[--tls-root-cert ROOT_CA_CERT] [--reporting-port REPORTING_PORT]
[--remote-port REMOTE_PORT] [--exporter EXPORTER] [--loglevel LOGLEVEL]
[--log-max-size-mb SIZE] [--log-max-backups COUNT]
[--no-download] [--enable-java-tls-capture] [--max-memory MAX_MEMORY]
[--set-memory-accounting] [--request-per-second-limit REQUEST_LIMIT] [--max-connection MAX_CONNECTION]
[--go-memory-limit GO_MEMORY_LIMIT] [--max-cpu MAX_CPU]
The following table explains the usage of the command arguments:
Argument | Mandatory | Description |
---|---|---|
| Yes | The service name for the mirrored traffic. |
| Yes | Endpoint of Traceable Platform Agent. |
| No | Comma-separated list of ports that you wish to track. |
| No | Comma-separated list of SSL directories. |
| No | Comma-separated list of process names to be excluded from tracking. |
| No | Maximum number of return probes. The default value is 1. |
| No | Traffic type to be captured.
The default value is |
| No | Root CA used to sign certificate for Traceable Platform Agent. eBPF uses this to validate the Traceable Platform Agent's certificate. If this value is provided, eBPF uses TLS encryption for data sent to the Traceable Platform Agent. |
| No | Reporting endpoint port of Traceable Platform Agent. If |
| No | Remote endpoint port of Traceable Platform Agent. If |
| No | eBPF span exporter. Allowed values are |
| No | Logging level for the eBPF service. The allowed values are |
| No | Maximum log file size in MB created by the eBPF service. The default value is 10 MB. |
| No | Maximum number of backup log files created by the eBPF service. The default value is 10. |
| No | Use local packages to install Traceable and its components. For more information, see Airgapped installation. |
| No | Set it to |
| No | Maximum memory limit for the Traceable service. Takes memory size in bytes. If the value is suffixed with K, M, G, or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, you can select the value as a percentage, which is taken relative to the installed physical memory on the system. |
| No | set MemoryAccounting to true for the eBPF service. This is required on VMs where the |
| No | Sets the maximum number of requests the eBPF tracer would capture in a second. |
| No | Sets the maximum number of connections the eBPF tracer tracks at any given time. |
| No | This is the substitute for the Examples: 128974848, 129e6, 129M, 128974848000m, 123Mi. |
| No | Specifies the maximum CPU percentage for the eBPF. For instance, |
ebpf-only examples
Following are a few examples of using the ebpf-only
sub-command:
If your Traceable Platform agent is running on an IP address
10.120.0.3
, and you wish to install the eBPF solution and send the mirrored traffic to the Traceable Platform agent, use the following command:ActionScriptActionScript
sudo ./install.sh ebpf-only -s myService --tpa-endpoint 10.120.0.3
If your Traceable Platform agent is running with the TLS server on
10.120.0.3
and you have your root CA at/path/to/root/ca
, then you can enable TLS encryption for the traffic sent from eBPF to the Traceable Platform agent. Enter the following command:ActionScriptActionScript
sudo ./install.sh ebpf-only -s myService --tpa-endpoint 10.120.0.3 --tls-root-cert /path/to/root/ca
tpa-only
The tpa-only
sub-command installs the Traceable Platform agent and runs it as a systemctl
service. For more details of this command (synopsis, example usages, argument descriptions), enter the following:
./install.sh tpa-only help
The command has the following syntax:
./install.sh tpa-only -e ENVIRONMENT [-s SERVICE_NAME] [-r REMOTE_ENDPOINT]
[--loglevel LOGLEVEL] [--remote-cert-path ROOT_CA_CERT] [-t]
[--log-max-size-mb SIZE] [--log-max-backups COUNT] [--no-download]
[--tls-endpoint ENDPOINT --tls-key KEY --tls-cert CERT --tls-root-cert ROOT_CA_CERT]
[--max-memory MAX_MEMORY] [--set-memory-accounting]
[--otlp-max-connection-age OTLP_MAX_CONNECTION_AGE]
[--http-proxy HTTP_PROXY] [--https-proxy HTTPS_PROXY] [--no-proxy NO_PROXY]
[--max-cpu MAX_CPU]
The following table explains the usage of the command arguments:
Argument | Mandatory | Description |
---|---|---|
| Yes | Environment name for the mirrored traffic. |
| No | The service name for the mirrored traffic. |
| No | Remote endpoint for Traceable Platform agent. |
| No | Logging level for the Traceable service. The allowed values are |
| No | Root CA used to sign certificate for the Traceable Platform. |
| No | Prompt for Traceable token for authentication. Check token for more details. |
| No | Maximum log file size in MB created by the Traceable service. The default value is 10 MB. |
| No | Maximum number of backup log files created by the eBPF service. The default value is 10. |
| No | Use local packages to install Traceable and its components. For more information, see Airgapped installation. |
| No | Maximum memory limit for the Traceable service. Takes a memory size in bytes. If the value is suffixed with K, M, G, or T, the specified memory size is parsed as Kilobytes, Megabytes, Gigabytes, or Terabytes (with the base 1024), respectively. Alternatively, a percentage value may be specified, which is taken relative to the installed physical memory on the system. |
| No | set MemoryAccounting to true for the Traceable service. This is required on VMs where the DefaultMemoryAccounting property is not enabled. |
| No | Sets the keepalive duration for the OTLP server in the Traceable Platform agent. The duration can be expressed as a string. The acceptable units are ns, us, s, m, and h. Example: 100ms = 100 milliseconds, 120s = 120 seconds, |
| No | Used for setting proxy URL for HTTP requests until overwritten by |
| No | Used for setting proxy URL for HTTPS requests until overwritten by |
| No | Specifies a string that contains comma-separated values specifying hosts that should be excluded from proxying. |
--max-cpu MAX_CPU | no | Sets the maximum percentage of CPU that the TPA (Traceable Platform Agent) process is allowed to use. This option limits CPU utilization, preventing the process from consuming more than the specified percentage. For example, |
Traceable Platform agent with TLS
You can choose to enable the TLS server on the Traceable Platform agent. The following arguments enable TLS:
Argument | Mandatory | Description |
---|---|---|
| Yes | TLS Endpoint of Traceable Platform agent. |
| Yes | Path to the private key for Traceable Platform agent. |
| Yes | Path to the certificate file for Traceable Platform agent. |
| Yes | Path to the root CA file for Traceable Platform agent. |
tpa-only examples
Following are a few examples of using the tpa-only
sub-command:
If you wish to install Traceable Platform Agent without a TLS server, enter the following command:
ActionScriptActionScript
sudo ./install.sh tpa-only -e myEnvironment -t
If you wish to set up a TLS server with an endpoint as
0.0.0.0:5443
, enter the following command:ActionScriptActionScript
sudo ./install.sh tpa-only -e myEnvironment -t --tls-endpoint 0.0.0.0:5443 --tls-key /path/to/key --tls-cert /path/to/cert --tls-root-cert /path/to/root/ca
Uninstallation
Enter the following command to uninstall. Note that the install script is used for both installation and uninstallation.
sudo ./install.sh cleanup
eBPF with centralized Traceable Platform agent
When you use the ebpf
subcommand for installation, the eBPF and Traceable Platform Agent are deployed on the same machine. eBPF starts capturing traffic and sends it to the agent. To streamline the forwarding process, you may run a central agent to which all devices with eBPF can send mirrored traffic. This can be accomplished in two simple steps:
Run the installation script with the
tpa-only
subcommand on the virtual machine (VM) where you wish to install the central agent.Run the installation script with the
ebpf-only
subcommand on all other VMs hosting your services.
If you wish to ensure secure communication between the VM capturing traffic and the central agent, follow these additional steps:
Enable the TLS server during installation with the
tpa-only
subcommand.Use the same root CA certificate for all
ebpf-only
installations.
Airgapped installation
Traceable provides a script for setting up traffic mirroring in an air-gapped environment. An air-gapped system is a computer or network physically isolated from the internet and other unsecured networks. This system protects sensitive data and systems from external threats such as hackers and malware. Airgapped systems are often used in industries where data security is paramount.
Traceable provides two archives for air-gapped installation, one for AMD64 machines and the other for arm64 devices. To download the archive, go to Traceable's download site. Navigate to install → traffic-mirroring → linux → latest.
Transfer the downloaded archive to your airgapped system. Untar the archive by entering the following command, for example, for an amd64 machine:
tar xvzf traffic-mirroring-amd64.tar.gz
Change directory:
cd traffic-mirroring-amd64/bin/
The bin directory contains install.sh
.
To install, run any sub-command mentioned in the Installation section by adding the --no-download
option. This option uses the local packages from the tar file to complete the installation instead of depending on the network.
Token
When installing the Traceable Platform Agent, you must provide the platform token to authenticate with the platform. This can be done in multiple ways.
Export the token as an environment variable:
ActionScriptActionScript
export TA_REFRESH_TOKEN=""
Put the token in the default token file:
ActionScriptActionScript
echo "" | sudo tee /etc/traceable/agent/token
Provide the command-line flag
-t
or--token
and enter the token when prompted.