Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Combining two FreeBSD interfaces using Netgraph, part 2

From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Mon, 22 Dec 2003 11:04:10 -0800 (PST)
Hello all,

People often ask how to combine two tap outputs such
that they can be monitored as a single stream.  

Previously I posted a way to bond two interfaces using
FreeBSD's netgraph facility and ng_one2many.  That
initial method "wasted" a real third interface against
which a sniffing program would be run:

http://www.mcabee.org/lists/snort-users/Jun-03/msg00442.html

Recently I developed a way to bond two interfaces
using ng_fec that created a virtual fec0 interface:

http://taosecurity.blogspot.com/2003_12_01_taosecurity_archive.html#107110063100416999

I was advised that using ng_one2many was a better idea
because ng_fec wasn't considered to be very stable,
although I've used it successfully for the last three
weeks.

Today I figured out how to create a virtual third
interface and use it with ng_one2many.  Here's how:

--
#!/bin/sh
# sf2 and sf3 are real interfaces which receive tap
outputs; ngeth0 is created by ngctl

# ng_ether must be loaded so netgraph can "see" the
real interfaces sf2 and sf3
kldload ng_ether

# bring up the real interfaces
ifconfig sf2 promisc -arp up
ifconfig sf3 promisc -arp up

# create ngeth0 and bind sf2 and sf3 to it
ngctl mkpeer . eiface hook ether
ngctl mkpeer ngeth0: one2many lower one
ngctl connect sf2: ngeth0:lower lower many0
ngctl connect sf3: ngeth0:lower lower many1

# bring up ngeth0 for sniffing duties
ifconfig ngeth0 -arp up
--

The various ngctl statements automatically load the
required KLDs, although ng_ether must be loaded first
as noted.  The result looks like:

bourque# kldstat
Id Refs Address    Size     Name
 1    6 0xc0100000 43d388   kernel
 2    1 0xc20d4000 3000     ng_ether.ko
 3    3 0xc20d8000 9000     netgraph.ko
 4    1 0xc20e8000 3000     ng_socket.ko
 5    1 0xc20ec000 3000     ng_eiface.ko
 6    1 0xc20ef000 3000     ng_one2many.ko

Sniffing works:

bourque# tcpdump -n -i ngeth0 icmp
tcpdump: WARNING: ngeth0: no IPv4 address assigned
tcpdump: listening on ngeth0
13:42:49.322474 86.84.6.72 > 216.239.39.99: icmp: echo
request
13:42:49.340745 216.239.39.99 > 86.84.6.72: icmp: echo
reply

Sincerely,

Richard Bejtlich
http://www.taosecurity.com

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: