From owner-freebsd-questions Wed Feb 12 8:18:46 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CA5B37B401 for ; Wed, 12 Feb 2003 08:18:44 -0800 (PST) Received: from mail.speakeasy.net (mail16.speakeasy.net [216.254.0.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BC4643FA3 for ; Wed, 12 Feb 2003 08:18:43 -0800 (PST) (envelope-from dschrock@speakeasy.net) Received: (qmail 28458 invoked from network); 12 Feb 2003 16:18:45 -0000 Received: from unknown (HELO speakeasy.net) (dschrock@[64.81.225.7]) (envelope-sender ) by mail16.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 12 Feb 2003 16:18:45 -0000 Message-ID: <3E4A73E7.2000207@speakeasy.net> Date: Wed, 12 Feb 2003 10:18:47 -0600 From: Daniel Schrock User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Richard Bejtlich Cc: freebsd-questions@freebsd.org Subject: Re: Combining data from two NICs into one virtual NIC References: <748e5c2c.0302112041.1b7ede21@posting.google.com> In-Reply-To: <748e5c2c.0302112041.1b7ede21@posting.google.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Richard Bejtlich wrote: > Hello, > > Can anyone offer advice on how to combine the traffic from two > separate NICs and have them be treated as a single virtual interface > under FreeBSD -- for purposes of running tcpdump or snort? > > For example, if I use a tap to monitor traffic, is there a way for the > two lines out from the tap to be seen as a single interface? > > Currently I send both lines out to a hub, and run a cable from the hub > to one NIC on my FreeBSD 5.0 RELEASE monitoring platform. > > Based on a post by J. Nielsen about using netgraph and this article > (http://bsdvault.net/sections.php?op=viewarticle&artid=98), I tried > the following. > > My box has interfaces ed1, dc0, and dc1. ed1 is the management > interface. I want to combine dc0 and dc1 into a single virtual > interface to sniff traffic. dc0 was configured by /etc/rc.conf to be > up and have an IP address at boot, while dc1 was not. > > --- > > ifconfig dc1 up > kldload /boot/kernel/ng_ether.ko > kldload /boot/kernel/ng_one2many.ko > ngctl mkpeer dc0: one2many upper one > ngctl connect dc0: dc0:upper lower many0 > ngctl connect dc1: dc0:upper lower many1 > ngctl msg dc1: setpromisc 1 > ngctl msg dc1: setautosrc 0 > ngctl msg dc0:upper setconfig "{xmitAlg=1 failAlg=1 enabledLinks =[ 1 > 1 ] }" > > --- > > No errors occurred, but how do I proceed? How do I access the virtual > interface? Sniffing against dc0 shows only what dc0 sees, not what > dc0 and dc1 might see together. Sniffing against dc1 shows only what > dc1 sees. > > I also heard vlan(4) might be of use. Any thoughts on that? > > Thank you very much, > > Richard Bejtlich you want to look into bridging. http://ezine.daemonnews.org/200211/ipfilter-bridge.html This will help you get it set up and you can just ignore the filter part of it if you don't want to run a firewall on it. ng_one2many is for combining interfaces into a single interface for increased bandwidth. vlans could work but only if you are running a switch that supports vlan trunking. considering hubs flood traffic to all ports, you could just use a single interface and bring it up, without an address, in promiscuous mode and you should see most traffic. Daniel Schrock, CCNA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message