IDS mailing list archives
RE: port bonding and taps
From: "Bradberry, John" <BradberryJ () aafes com>
Date: Thu, 2 Oct 2003 14:31:58 -0500
Hello: I've found the channel-bonding method to be very useful on Linux based systems. On a RH 9 system, documentation is provided in the file "bonding.txt". On my system running a 2.4.20-8 kernel, it is found here: /usr/src/linux-2.4.20-8/Documentation/networking/bonding.txt For FreeBSD based systems, the Netgraph Fast Ether-Channel kernel module (ng_fec.ko) can be used to aggregate traffic from multiple physical interfaces onto a "virtual" pseudo interface. We use this method to rebuild full-duplex connections from the half-duplex data streams generated by an Ethernet tap. A single process [tcpdump, snort, etc.] may be used to capture packets from the pseudo interface. Jerry Lundy of The Greentree Group researched the Netgraph system and compiled this documentation for using the ng_fec.ko module on a FreeBSD system: [1] Fetch the latest kernel sources [we're using RELENG_4_9]. Add this line to your kernel config and build a new kernel: options NETGRAPH [2] Build the ng_fec module: # cd /usr/src/sys/modules/netgraph/fec/ # make && make install [3] Load the module: # kldload /usr/src/sys/modules/netgraph/fec/ng_fec.ko You can confirm that the ng_fec.ko module is loaded by using the kldstat command. You should see something very similar to this: # kldstat Id Refs Address Size Name 1 4 0xc0100000 400f44 kernel 3 3 0xc518e000 9000 netgraph.ko 4 1 0xc518a000 3000 ng_socket.ko 5 1 0xc519d000 3000 ng_fec.ko [4] Create one or more psuedo fec interfaces: # ngctl mkpeer fec dummy fec This step will create a fec0 device. Check it with ifconfig -a. Other pseudo interfaces, fec1, fec2, fec3, etc., can be created using the same command. [5] Bind physical interfaces to the pseudo devices. In this example, we've got 2 pseudo devices [fec], and 8 physical interfaces [dc]. Our site uses quad-port AEI P430TX interfaces. Be careful to include the single + double quotes just like the example: # ngctl msg fec0: add_iface '"dc0"' # ngctl msg fec0: add_iface '"dc1"' # ngctl msg fec0: add_iface '"dc2"' # ngctl msg fec0: add_iface '"dc3"' # ngctl msg fec1: add_iface '"dc4"' # ngctl msg fec1: add_iface '"dc5"' # ngctl msg fec1: add_iface '"dc6"' # ngctl msg fec1: add_iface '"dc7"' [6] Set the capture mode for each pseudo interface. You may wish to experiment with the mode type: # ngctl msg fec0: set_mode_inet # ngctl msg fec0: set_mode_mac # ngctl msg fec0: set_mode_inet6 [7] Set all physical and pseudo interfaces to promiscuous mode. # ifconfig INTERFACE_NAME promisc [8] Bring up the pseudo device[s] and try it! # ifconfig fec0 up # ifconfig fec1 up You should be able to run tcpdump -n -i fec0 and see the aggregate traffic. We use a shell script to create and configure the pseudo devices at startup. If you would like to a copy of the script, contact me. Best regards. John Bradberry The Greentree Group -----Original Message----- From: John Flynn [mailto:johnflynn () fastmail fm] Sent: Wednesday, October 01, 2003 1:54 PM To: focus-ids () securityfocus com Subject: port bonding and taps Hi all, I'm trying to set up various snort boxes, both on fiber and copper taps. In order to reconstruct both sides of the stream I understand that one needs to use multiple cards since the tap outputs the tx and rx on separate channels. The problem is that to make snort alert correctly one really has to aggregate the directions. This is commonly done using a spanning port, but we do not have enough of those at our facility to go around. In linux (and in general) it seems this idea is called port bonding. There is a bonding kernel module for linux and appropriate commands for setting this up (ifenslave etc), but it seems to be very poorly documented. I have tried to set up bonding multiple times and could not seem to get it to work. Does anyone have good documentation on how to do this type of set up, or perhaps a better way to do snort+taps without using a spanning port? Thanks, John Flynn --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- Re: port bonding and taps, (continued)
- Re: port bonding and taps Michael Stone (Oct 02)
- Re: port bonding and taps Sam f. Stover (Oct 02)
- Re: port bonding and taps Bamm Visscher (Oct 06)
- RE: port bonding and taps PPowenski (Oct 02)
- Re: port bonding and taps Sam f. Stover (Oct 02)
- Re: port bonding and taps Bennett Todd (Oct 06)
- Re: port bonding and taps Sam f. Stover (Oct 06)
- Re: port bonding and taps Bennett Todd (Oct 06)
- Re: port bonding and taps Sam f. Stover (Oct 06)
- Re: port bonding and taps Sam f. Stover (Oct 02)