Comprehensive Study Guide: VPC Traffic Mirroring and Network Analysis

This guide covers the implementation, configuration, and analysis of network traffic mirroring within an AWS environment, focusing on deep packet inspection (DPI) for security and troubleshooting.

Learning Objectives

After studying this guide, you should be able to:

• Identify the three core components of VPC Traffic Mirroring (Target, Filter, Session).
• Configure a traffic mirroring session from a source ENI to a monitoring destination.
• Differentiate between the use cases for VPC Flow Logs versus VPC Traffic Mirroring.
• Utilize analysis tools like Wireshark and AWS native services (Athena, GuardDuty) to interpret captured packet data.
• Troubleshoot network performance and security issues using packet-level insights.

Key Terms & Glossary

• ENI (Elastic Network Interface): A logical networking component in a VPC that represents a virtual network card.
• Mirror Source: The network interface (ENI) from which traffic is copied.
• Mirror Target: The destination for mirrored traffic, typically another ENI or a Network Load Balancer (NLB).
• Mirror Filter: A set of rules that define which inbound and outbound traffic is captured based on protocol, port, and IP range.
• Mirror Session: The entity that links the source, target, and filter together with configuration settings like packet truncation and VXLAN ID.
• Promiscuous Mode: A mode for a network interface controller that allows it to intercept and read each network packet that arrives in its entirety.

The "Big Idea"

VPC Traffic Mirroring is the transition from metadata-level visibility to content-level visibility. While VPC Flow Logs tell you "who" is talking to "whom" (IPs, ports, protocols), Traffic Mirroring allows you to see the "what" (the actual payload). It is essentially a virtual "TAP" or "SPAN" port in the cloud that enables deep security forensics and complex troubleshooting without installing agents on the source instances.

Formula / Concept Box

Hierarchical Outline

1. Core Components
   • Traffic Mirror Target: Destination for copied traffic (EC2 ENI or NLB).
   • Traffic Mirror Filter: Logic determining what traffic is "interesting."
   • Traffic Mirror Session: The active connection moving traffic from source to target.
2. The Capture Process
   • Source ENI Selection: Any ENI in a supported instance type.
   • Encapsulation: Mirrored packets are encapsulated in VXLAN (UDP Port 4789).
   • Truncation: Option to capture only the first $N$ bytes of a packet to save bandwidth.
3. Analysis Ecosystem
   • Open Source Tools: Wireshark, tcpdump (requires Promiscuous Mode on the target).
   • AWS Native Analysis: S3 + Athena/QuickSight for large-scale query and visualization.
   • Machine Learning: Amazon GuardDuty for automated threat detection (e.g., port scanning).
4. Security and Performance
   • Mitigation: Using WAF, Shield, and Network Firewall based on mirroring insights.
   • Optimization: Identifying packet loss, latency, and bandwidth bottlenecks.

Visual Anchors

Traffic Mirroring Workflow

Packet Flow Concept

\begin{tikzpicture}[scale=0.8] \draw[thick] (0,0) rectangle (3,2) node[pos=.5] {Source ENI}; \draw[thick] (8,0) rectangle (11,2) node[pos=.5] {Target ENI}; \draw[->, blue, thick] (3,1.5) -- (5,1.5) node[above] {Prod Traffic} -- (8,1.5); \draw[->, red, dashed, thick] (3,0.5) -- (5,0.5) node[below] {Mirrored (VXLAN)} -- (8,0.5); \node at (5.5, -1) [text width=6cm, align=center] {\small \textbf{Figure 1:} Mirrored traffic is a copy of the production stream, encapsulated in VXLAN headers.}; \end{tikzpicture}

Definition-Example Pairs

• Traffic Mirror Filter: A set of criteria to select traffic.
  • Example: Creating a filter that only captures traffic on port 443 (HTTPS) to investigate a potential TLS handshake failure.
• Deep Packet Inspection (DPI): The practice of examining the data part of a packet as it passes an inspection point.
  • Example: Using Wireshark to look inside an HTTP POST request to see if a SQL injection string is being sent to a database server.
• VXLAN (Virtual Extensible LAN): The encapsulation protocol used by AWS to deliver mirrored packets.
  • Example: On your analysis instance, you must look for UDP port 4789 traffic to find the mirrored packets wrapped inside.

Worked Examples

Example 1: Isolating Malicious Traffic

Scenario: An administrator suspects an EC2 instance is part of a botnet and is sending out encrypted commands.

1. Target: Configure an EC2 instance running Ubuntu and install tshark.
2. Filter: Create a filter with an Outbound Rule: Protocol: TCP, Destination Port: 0-65535 (All).
3. Session: Create a session targeting the suspect instance's ENI.
4. Analysis: Run sudo tshark -i eth0 -f "udp port 4789".
5. Finding: The administrator sees repeated small packets to a known malicious IP address on a non-standard port, confirming the suspicion.

Checkpoint Questions

1. What is the main advantage of VPC Traffic Mirroring over VPC Flow Logs?
2. Which UDP port is used by AWS to encapsulate mirrored traffic?
3. Why must the destination interface for a packet capture be in promiscuous mode?
4. Name one AWS service that uses machine learning to analyze network traffic and detect threats automatically.

▶Click to see Answers

1. Traffic Mirroring provides the actual packet payload (DPI), whereas Flow Logs only provide metadata (IP/Port/Protocol).
2. UDP Port 4789 (VXLAN).
3. It allows the operating system to process packets not specifically addressed to its own IP address.
4. Amazon GuardDuty.

Muddy Points & Cross-Refs

• Performance Impact: Users often worry that mirroring will slow down the source instance. In AWS, mirroring is performed on the Nitro System hardware, so it does not consume CPU cycles from the EC2 instance itself. However, it does count toward the instance's overall network throughput.
• Cost vs. Visibility: Traffic Mirroring is more expensive than Flow Logs. Use Flow Logs for 24/7 compliance and Mirroring for targeted, point-in-time troubleshooting or high-security forensics.
• MTU Issues: Because VXLAN adds headers, the mirrored packet might exceed the standard 1500-byte MTU. AWS handles this, but it is a common point of confusion during manual packet analysis.

Comparison Tables