Richard Bejtlich wrote:
Hello,
Can anyone offer advice on how to combine the traffic from two
separate NICs and have them be treated as a single virtual interface
under FreeBSD -- for purposes of running tcpdump or snort?
For example, if I use a tap to monitor traffic, is there a way for the
two lines out from the tap to be seen as a single interface?
Currently I send both lines out to a hub, and run a cable from the hub
to one NIC on my FreeBSD 5.0 RELEASE monitoring platform.
Based on a post by J. Nielsen about using netgraph and this article (http://bsdvault.net/sections.php?op=viewarticle&artid=98), I tried
the following.
My box has interfaces ed1, dc0, and dc1. ed1 is the management
interface. I want to combine dc0 and dc1 into a single virtual
interface to sniff traffic. dc0 was configured by /etc/rc.conf to be
up and have an IP address at boot, while dc1 was not.
---
ifconfig dc1 up
kldload /boot/kernel/ng_ether.ko
kldload /boot/kernel/ng_one2many.ko
ngctl mkpeer dc0: one2many upper one
ngctl connect dc0: dc0:upper lower many0
ngctl connect dc1: dc0:upper lower many1
ngctl msg dc1: setpromisc 1
ngctl msg dc1: setautosrc 0
ngctl msg dc0:upper setconfig "{xmitAlg=1 failAlg=1 enabledLinks =[ 1
1 ] }"
---
No errors occurred, but how do I proceed? How do I access the virtual
interface? Sniffing against dc0 shows only what dc0 sees, not what
dc0 and dc1 might see together. Sniffing against dc1 shows only what
dc1 sees.
I also heard vlan(4) might be of use. Any thoughts on that?
Thank you very much,
Richard Bejtlich
you want to look into bridging.
http://ezine.daemonnews.org/200211/ipfilter-bridge.html
This will help you get it set up and you can just ignore the filter part of it if you don't want to run a firewall on it.
ng_one2many is for combining interfaces into a single interface for increased bandwidth. vlans could work but only if you are running a switch that supports vlan trunking.
considering hubs flood traffic to all ports, you could just use a single interface and bring it up, without an address, in promiscuous mode and you should see most traffic.
Daniel Schrock, CCNA
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
