Re: Listening on multiple devices in promiscous

[Alexander Dupuy <dupuy () sysd com>]

Peter Sandford wrote:
> I need to capture from 2 interfaces on a machine in promiscuous mode.
> This is because we are routing a copy of 2 load balanced streams onto a
> box for monitoring.
>  
> I'm aware it isn't possible (?) to listen on "any" with a pcap_open_live
> in promiscuous as the flag is ignored, but is there a way of listening
> on a set of interfaces in promiscuous mode?

Although you can't enable promiscuous mode on the "any" interface, enabling it 
on each of the direct interfaces will result in the "any" interface receiving 
all the traffic from each of the individual interfaces in promiscuous mode.

Since you mention the "any" interface, which is a Linux-ism, if your machine is 
a recent Linux system, you may be able to use another approach as well: 
ethernet bonding, which creates a virtual interface that aggregates the traffic 
on the two interfaces.  This is different from "any" since the "enslaved" 
interfaces are no longer tied into the upper layer networking code; they simply 
hand over traffic to the virtual aggregate interface.  (I think you can use 
tcpdump (packet sockets) on the individual interfaces, since they work at the 
link layer, but I'm not sure).

A google search on ethernet bonding will turn up pages like 
http://linux-ip.net/html/ether-bonding.html that do a decent job of explaining 
how to set this up.  If you do something like this, you will probably want to 
use a High Availability approach to avoid sending packets out both enslaved 
interfaces, instead using only one.  An even better approach would be to leave 
the interface without upper layer (IP) addresses, and use it as a passive-only 
device.

@alex
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.