[ovs-discuss] SYN packet mirroring

[Avi Cohen (A)]

Thanks Justin and Ben
Ok - so I can use ofctl to do that .
To my understanding - I need a flow with higher  priority for SYN pkt for every TCP connection between server A and Client B to output the packet to out-port x and y (where y is connected to the SYN collector)
I addition I need the 'regular' flow for this TCP connection to output only to port x - correct ?
Can you send an example ofctl configuration for that ?
Best Regards 
avi 

> -----Original Message-----
> From: Justin Pettit [mailto:jpettit at ovn.org]
> Sent: Thursday, 25 May, 2017 9:07 PM
> To: Ben Pfaff
> Cc: Avi Cohen (A); ovs-discuss at openvswitch.org
> Subject: Re: [ovs-discuss] SYN packet mirroring
> 
> 
> > On May 25, 2017, at 10:44 AM, Ben Pfaff <blp at ovn.org> wrote:
> >
> > On Thu, May 25, 2017 at 10:26:29AM -0700, Justin Pettit wrote:
> >>
> >>> On May 25, 2017, at 2:10 AM, Avi Cohen (A) <avi.cohen at huawei.com>
> wrote:
> >>>
> >>> Hi All,
> >>> I need to capture all received SYN packets from all interfaces and to
> mirror/output to a specific interface in addition to the operational interface
> that these packets should be forwarded.
> >>> Can I do it with a single dpctl  add-flow cli command ?  and not modify the
> 'operational' flows that are used to normally connect TCP clients to TCP servers
> ?
> >>
> >> No, if you run ovs-vswitchd, it will be confused when flows are added with
> ovs-dpctl, and delete them.  Also, I don't think that would work, since the kernel
> module will only apply actions from a single flow, so you'll either send the SYN
> packet to your collector or forward it appropriately, but not both.
> >>
> >> You should be able to construct what you want pretty easily with ovs-ofctl
> flows, though.
> >
> > Avi might be talking about "dpctl" from the OpenFlow reference
> > implementation, which (confusingly) uses OpenFlow.
> 
> Yeah, I wasn't sure if he was abbreviating or not.  If that is what he's talking
> about, he's not using OVS, of course.
> 
> --Justin
>