Richard Bejtlich wrote:

Can anyone offer advice on how to combine the traffic from two
separate NICs and have them be treated as a single virtual interface
under FreeBSD -- for purposes of running tcpdump or snort?

For example, if I use a tap to monitor traffic, is there a way for the
two lines out from the tap to be seen as a single interface?

Currently I send both lines out to a hub, and run a cable from the hub
to one NIC on my FreeBSD 5.0 RELEASE monitoring platform.

Based on a post by J. Nielsen about using netgraph and this article (, I tried
the following.

My box has interfaces ed1, dc0, and dc1. ed1 is the management
interface. I want to combine dc0 and dc1 into a single virtual
interface to sniff traffic. dc0 was configured by /etc/rc.conf to be
up and have an IP address at boot, while dc1 was not.


ifconfig dc1 up
kldload /boot/kernel/ng_ether.ko
kldload /boot/kernel/ng_one2many.ko
ngctl mkpeer dc0: one2many upper one
ngctl connect dc0: dc0:upper lower many0
ngctl connect dc1: dc0:upper lower many1
ngctl msg dc1: setpromisc 1
ngctl msg dc1: setautosrc 0
ngctl msg dc0:upper setconfig "{xmitAlg=1 failAlg=1 enabledLinks =[ 1
1 ] }"


No errors occurred, but how do I proceed? How do I access the virtual
interface? Sniffing against dc0 shows only what dc0 sees, not what
dc0 and dc1 might see together. Sniffing against dc1 shows only what
dc1 sees.

I also heard vlan(4) might be of use. Any thoughts on that?

Thank you very much,

Richard Bejtlich

you want to look into bridging.
This will help you get it set up and you can just ignore the filter part of it if you don't want to run a firewall on it.

ng_one2many is for combining interfaces into a single interface for increased bandwidth. vlans could work but only if you are running a switch that supports vlan trunking.

considering hubs flood traffic to all ports, you could just use a single interface and bring it up, without an address, in promiscuous mode and you should see most traffic.

Daniel Schrock, CCNA

Reply via email to