From owner-freebsd-questions@FreeBSD.ORG  Thu Sep 13 22:27:18 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 88A1C16A469
	for <freebsd-questions@freebsd.org>;
	Thu, 13 Sep 2007 22:27:18 +0000 (UTC)
	(envelope-from erik@cepheid.org)
Received: from mail.cepheid.org (wintermute.cepheid.org [64.92.165.98])
	by mx1.freebsd.org (Postfix) with ESMTP id 6467713C46E
	for <freebsd-questions@freebsd.org>;
	Thu, 13 Sep 2007 22:27:18 +0000 (UTC)
	(envelope-from erik@cepheid.org)
Received: by mail.cepheid.org (Postfix, from userid 1006)
	id 7BC7917134; Thu, 13 Sep 2007 17:27:17 -0500 (CDT)
Date: Thu, 13 Sep 2007 17:27:17 -0500
From: Erik Osterholm <freebsd-lists-erik@erikosterholm.org>
To: Brian McCann <bjmccann@gmail.com>
Message-ID: <20070913222717.GB2632@idoru.cepheid.org>
Mail-Followup-To: Erik Osterholm <freebsd-lists-erik@erikosterholm.org>,
	Brian McCann <bjmccann@gmail.com>,
	freebsd-questions <freebsd-questions@freebsd.org>
References: <2b5f066d0709130929w7c4aa02ax4bc25282ff7122c5@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2b5f066d0709130929w7c4aa02ax4bc25282ff7122c5@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: freebsd-questions <freebsd-questions@freebsd.org>
Subject: Re: Bridging and port mirroring
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2007 22:27:18 -0000

On Thu, Sep 13, 2007 at 12:29:30PM -0400, Brian McCann wrote:
> I've poked around on the web, but come up empty.  And I find it hard
> to believe there's not a simple way to do this, if it hasn't been done
> before.
> 
> I've got a server with two nics configured for bridging and running
> bunches of ipfw rules.  I'd like to add a 3rd NIC and have it mirror
> the 2nd NIC (so all traffic into and out of nic2 goes to nic3), so I
> can run an IDS on another server.  Yes, I know that has the potential
> to overload nic3 if there is a lot of traffic going in and out of
> nic2, but that's not an issue for me.
> 
> Has anyone done this before, or know how to do this?

Are you using if_bridge?  If so, it supports creating span interfaces.
It's easy to set up, and it almost does what you describe (instead of
only showing traffic into/out of nic2, it's going to show all traffic
on bridge0.)

Erik