Re: dual inteface?

[Bennett Todd <bet () rahul net>]

2002-10-24-11:28:04 Daniel Curry:
>  I had lost the email that gave information
> on how to configure snort to see two, eth2 and eth3,
> promicus interfaces on a redhat 7.2 system?

I think you're perhaps talking about this?

------------------------------------------------------------------------------

Version 1.2 --- that promisc is only needed on the bond0 interface

Version 1.1 --- need to explicitly "promisc" on the ifconfigs;
        snort's putting the -i bond0 into promisc didn't propogate
        back through to the underlying eth interfaces.

------------------------------------------------------------------------------

In Red Hat 7.3, with the default 2.4.18-3 kernel, it's really easy
to bond multiple channels to snort them all. The technique is
documented in /usr/src/linux/Documentation/networking/bonding.txt.
In brief:

        grep bond0 /etc/modules.conf || echo alias bond0 bonding >/etc/modules.conf
        ifconfig bond0 promisc up
        for if in eth1 eth2 ...;do
                ifconfig $if up
                ifenslave bond0 $if
        done
        snort ... -i bond0 ...

Works great. The ifenslave invocations whinge a bit about all the
things they can't do with the unnumbered interfaces, but it all
works.

I used 3 Compaq DL-320s for a test setup. Each of these comes with
two eepro100 interfaces; in one I've added a third such interface in
the PCI slot. On each box the eth0 is the mgmt interface (NB when
you add a PCI card eepro100 it becomes eth0 and the two builtin NICs
renumber to eth1 and eth2).

Besides running the eth0 interfaces to a hub, I tied the two eth1s
from the dual-interface traffic generators to the eth1 and eth2
builtins on the 3-interface box, with crossover cables, running
100BaseT. I used the above invocations to get snort cooking with
its default sigs, listening to bond0 with eth1 and eth2 enslaved to
it. Snort sat idle. I fired up a ping -f on one of the generators
and snort jumped up to 25% CPU; then launched ping -f on the
other generator and it jumped to 55%. Each generator was emitting
c. 20,000 packets/second, default ping packet size (64 bytes).

When I next tried tcpreplay[1], all was not as happy, until I
stumbled across the above-mentioned need to promisc the bond0
interface manually as you're ifconfigging it. Actually, what I first
did was ifconfig both the bond0 and the underlying eth# interfaces
promisc; that worked too, but was overkill. When I inquired about
this matter on the bonding-devel mailing list, they explained to me
that flags like promisc _Are_ propogated down to the underlying
interfaces, but only at ifenslave time, not later.

Once I got that, things got lots more better. Do remember when
benchmarking with tcpreplay to make sure to tcpdump -s 0, so you
aren't using captures with truncated packets.

-Bennett

[1] <URL:http://tcpreplay.sf.net/>

Attachment: _bin
Description: