Em 20-03-2014 19:21, Don Jackson escreveu: > On Mar 20, 2014, at 2:14 PM, Giancarlo Razzolini <[email protected]> wrote: > >> Em 20-03-2014 17:12, Don Jackson escreveu: >>> I’m attempting to monitor traffic on my LAN, I have inserted a >>> non-aggregating network tap between my firewall (not openbsd) and my enet >>> switch. >>> I wired the two monitor ports of the network tap to two ethernet interfaces >>> (em2 and em3) on an openbsd machine (running 5.3 at present), em0 on >>> this machine is the regular network port. >>> I’m attempting to configure pf etc. in order to facilitate monitoring and >>> analyzing the traffic on my lan. >>> I started with just the em2 interface and associated tap output, which >>> monitors traffic from my LAN to the firewall. >>> AFAICT, the interfaces I use for this monitoring need to be “UP” and in >>> “PROMISC” (promiscuous) mode, correct? >>> So far, the only way I know I can do that is by adding the interface to a >>> bridge. Is there another/better way? >> You could implement some sort of daemon that puts the interfaces in >> promiscuous mode using the pcap library. Or running a tmux+tcpdump. A >> bridge can also work, but it introduces complexity, especially when >> filtering the packets. > Based on further experiments motivated by your suggestions, I have concluded > that I’ve been using the wrong tool(s) > for the job. > > Since I’m using the OpenBSD box to just read all packets on an interface, I > shouldn’t be using pf/pflog/pflow at all, > I should just focus on apps like tcpdump that open the interface directly, > and read what they want. Some network monitoring packages > (i.e. argus) seem to have their own tcpdump-like apps for reading network > interfaces. > > If the box in question was the router/firewall, then obviously I could/should > use pf/pflog/pflow to extract the info > passing through/by that I would want to monitor. > > Thank you for kludging me in the right direction. > > Don > Yes, this is even better (and simpler). I believed that you needed to use netflow, because I thought your switch was sending netflow data, not all packets itself. Reading your mail again, I realized this. But then again, there is any particular reason why the OpenBSD machine isn't the router/gateway for your network(s)? I believe that there are very few, if any, cases, where a OpenBSD firewall wouldn't do the job.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
