Date: Wed, 12 Feb 2003 10:18:47 -0600 From: Daniel Schrock <dschrock@speakeasy.net> To: Richard Bejtlich <richard@taosecurity.com> Cc: freebsd-questions@freebsd.org Subject: Re: Combining data from two NICs into one virtual NIC Message-ID: <3E4A73E7.2000207@speakeasy.net> In-Reply-To: <748e5c2c.0302112041.1b7ede21@posting.google.com> References: <748e5c2c.0302112041.1b7ede21@posting.google.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Richard Bejtlich wrote: > Hello, > > Can anyone offer advice on how to combine the traffic from two > separate NICs and have them be treated as a single virtual interface > under FreeBSD -- for purposes of running tcpdump or snort? > > For example, if I use a tap to monitor traffic, is there a way for the > two lines out from the tap to be seen as a single interface? > > Currently I send both lines out to a hub, and run a cable from the hub > to one NIC on my FreeBSD 5.0 RELEASE monitoring platform. > > Based on a post by J. Nielsen about using netgraph and this article > (http://bsdvault.net/sections.php?op=viewarticle&artid=98), I tried > the following. > > My box has interfaces ed1, dc0, and dc1. ed1 is the management > interface. I want to combine dc0 and dc1 into a single virtual > interface to sniff traffic. dc0 was configured by /etc/rc.conf to be > up and have an IP address at boot, while dc1 was not. > > --- > > ifconfig dc1 up > kldload /boot/kernel/ng_ether.ko > kldload /boot/kernel/ng_one2many.ko > ngctl mkpeer dc0: one2many upper one > ngctl connect dc0: dc0:upper lower many0 > ngctl connect dc1: dc0:upper lower many1 > ngctl msg dc1: setpromisc 1 > ngctl msg dc1: setautosrc 0 > ngctl msg dc0:upper setconfig "{xmitAlg=1 failAlg=1 enabledLinks =[ 1 > 1 ] }" > > --- > > No errors occurred, but how do I proceed? How do I access the virtual > interface? Sniffing against dc0 shows only what dc0 sees, not what > dc0 and dc1 might see together. Sniffing against dc1 shows only what > dc1 sees. > > I also heard vlan(4) might be of use. Any thoughts on that? > > Thank you very much, > > Richard Bejtlich you want to look into bridging. http://ezine.daemonnews.org/200211/ipfilter-bridge.html This will help you get it set up and you can just ignore the filter part of it if you don't want to run a firewall on it. ng_one2many is for combining interfaces into a single interface for increased bandwidth. vlans could work but only if you are running a switch that supports vlan trunking. considering hubs flood traffic to all ports, you could just use a single interface and bring it up, without an address, in promiscuous mode and you should see most traffic. Daniel Schrock, CCNA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E4A73E7.2000207>