IDS mailing list archives

RE: port bonding and taps

From: "Bradberry, John" <BradberryJ () aafes com>
Date: Thu, 2 Oct 2003 14:31:58 -0500

Hello:

I've found the channel-bonding method to be very useful on Linux based
systems.  On a RH 9 system, documentation is provided in the file
"bonding.txt".  On my system running a 2.4.20-8 kernel, it is found
here:

/usr/src/linux-2.4.20-8/Documentation/networking/bonding.txt

For FreeBSD based systems, the Netgraph Fast Ether-Channel kernel module
(ng_fec.ko) can be used to aggregate traffic from multiple physical
interfaces onto a "virtual" pseudo interface.  We use this method to
rebuild full-duplex connections from the half-duplex data streams
generated by an Ethernet tap.  A single process [tcpdump, snort, etc.]
may be used to capture packets from the pseudo interface.

Jerry Lundy of The Greentree Group researched the Netgraph system and
compiled this documentation for using the ng_fec.ko module on a FreeBSD
system:

[1] Fetch the latest kernel sources [we're using RELENG_4_9].  Add this
line to your kernel config and build a new kernel:

options         NETGRAPH

[2] Build the ng_fec module:

# cd /usr/src/sys/modules/netgraph/fec/
# make && make install

[3] Load the module:

# kldload /usr/src/sys/modules/netgraph/fec/ng_fec.ko

You can confirm that the ng_fec.ko module is loaded by using the kldstat
command.  You should see something very similar to this:
 
# kldstat
Id Refs Address    Size     Name
 1    4 0xc0100000 400f44   kernel
 3    3 0xc518e000 9000     netgraph.ko
 4    1 0xc518a000 3000     ng_socket.ko
 5    1 0xc519d000 3000     ng_fec.ko

[4] Create one or more psuedo fec interfaces:

# ngctl mkpeer fec dummy fec

This step will create a fec0 device.  Check it with ifconfig -a.  Other
pseudo interfaces, fec1, fec2, fec3, etc., can be created using the same
command.

[5] Bind physical interfaces to the pseudo devices.  In this example,
we've got 2 pseudo devices [fec], and 8 physical interfaces [dc].  Our
site uses quad-port AEI P430TX interfaces.  Be careful to include the
single + double quotes just like the example:

# ngctl msg fec0: add_iface '"dc0"'
# ngctl msg fec0: add_iface '"dc1"'
# ngctl msg fec0: add_iface '"dc2"'
# ngctl msg fec0: add_iface '"dc3"'
# ngctl msg fec1: add_iface '"dc4"'
# ngctl msg fec1: add_iface '"dc5"'
# ngctl msg fec1: add_iface '"dc6"'
# ngctl msg fec1: add_iface '"dc7"'

[6] Set the capture mode for each pseudo interface.  You may wish to
experiment with the mode type:

# ngctl msg fec0: set_mode_inet
# ngctl msg fec0: set_mode_mac
# ngctl msg fec0: set_mode_inet6

[7] Set all physical and pseudo interfaces to promiscuous mode.

# ifconfig INTERFACE_NAME promisc

[8] Bring up the pseudo device[s] and try it!

# ifconfig fec0 up
# ifconfig fec1 up

You should be able to run tcpdump -n -i fec0 and see the aggregate
traffic.

We use a shell script to create and configure the pseudo devices at
startup.  If you would like to a copy of the script, contact me.

Best regards.

John Bradberry
The Greentree Group

-----Original Message-----
From: John Flynn [mailto:johnflynn () fastmail fm] 
Sent: Wednesday, October 01, 2003 1:54 PM
To: focus-ids () securityfocus com
Subject: port bonding and taps

Hi all,

I'm trying to set up various snort boxes, both on fiber and copper taps.
In order to reconstruct both sides of the stream I understand that one
needs to use multiple cards since the tap outputs the tx and rx on
separate channels. The problem is that to make snort alert correctly one
really has to aggregate the directions. This is commonly done using a
spanning port, but we do not have enough of those at our facility to go
around. In linux (and in general) it seems this idea is called port
bonding. There is a bonding kernel module for linux and appropriate
commands for setting this up (ifenslave etc), but it seems to be very
poorly documented. I have tried to set up bonding multiple times and
could not seem to get it to work. Does anyone have good documentation on
how to do this type of set up, or perhaps a better way to do snort+taps
without using a spanning port?
Thanks,
John Flynn

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------

Current thread:

Re: port bonding and taps, (continued)
- - Re: port bonding and taps Michael Stone (Oct 02)
  - Re: port bonding and taps Sam f. Stover (Oct 02)
  - Re: port bonding and taps Bamm Visscher (Oct 06)
- RE: port bonding and taps PPowenski (Oct 02)
  - Re: port bonding and taps Sam f. Stover (Oct 02)
    - Re: port bonding and taps Bennett Todd (Oct 06)
    - Re: port bonding and taps Sam f. Stover (Oct 06)
    - Re: port bonding and taps Bennett Todd (Oct 06)
    - Re: port bonding and taps Sam f. Stover (Oct 06)
- Re: port bonding and taps Aaron Cheek (Oct 06)
- RE: port bonding and taps Bradberry, John (Oct 06)