RE: IDS using Taps & network bridging

[Douglas Hart <douglas () eu kddi com>]

For taps the bridge interfaces are receiving traffic only so it doesn't
matter what traffic is forwarded by the bridge. You only want the traffic
received by both bridge interfaces to be available on the logical interface.

Not sure about Linux, but for OpenBSD bridges you can disable Discover
(packets do not exit interfaces) and Learn (source addresses are not entered
into the cache). After flushing the address cache all packets caught by the
two tap interfaces will be seen reassembled on the bridge0 logical
interface.

Doug


> > What I've done so far is:
> > -Install 3 NICs in my box
> > -Bridged eth1 & eth2 to br0
> > -started up the bridge
> > -sniffed br0
> >
> > I see mostly massive amounts of ARP traffic -
> > any help on this would be appreciated.
>
> This is how a bridge should work...unless you determine all 
> MAC addresses in
> use across the whole network and tell your bridge that those 
> mac addresses
> exist on your IDS side of the bridge, you will never see anything but
> broadcast and ARP traffic there.  A bridge only forwards what needs to
> traverse it based on destination MAC address.  Remember too 
> that a switch is
> just a bunch of bridges and you will see the same behavior on 
> any port of a
> switch unless you designate that port as a network monitor port.