I'm wanting to stress test an application I've written that takes in mirrored network traffic using Bro and processes it. I'd like to generate the traffic and present it to Bro in a way that's as similar as possible as what a mirrored switch port would do in production. I'm assuming mirrored packets are encapsulated in an Ethernet packet and sent out the configured egress port, but I don't know the specifics at all.
Can someone explain to me or point me to some documentation that describes the technical specifics of how mirrored packets are encapsulated and sent to the receiving party? My ultimate goal is to write a custom traffic generator to facilitate this unless something already exists. I don't have any captured traffic to replay, so I'm fine with having to craft the actual packets to be mirrored. I just need to figure out how to accurately simulate the mirroring of the packets.
There's no encapsulation involved. If the setup is like this:
... when you configure the sniffer port to mirror the port that A is on, every packet that A sends is copied to the sniffer port, and every packet that the switch forwards to the port A is on is also copied to the sniffer port.
Another way to think of it is as if port A and the mirror are part of a hub, not a switch.
More details can be found in this CISCO doc that the picture is from.