RE: BPF and Promiscuous Mode

From owner-freebsd-hackers Mon Jul 3 21:19:37 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from sn1oexchr01.nextvenue.com (sn1oexchr01.nextvenue.com [63.209.169.9]) by hub.freebsd.org (Postfix) with SMTP id 7ED9937BA18 for ; Mon, 3 Jul 2000 21:19:31 -0700 (PDT) (envelope-from nevans@nextvenue.com) Received: FROM sn1exchmbx.nextvenue.com BY sn1oexchr01.nextvenue.com ; Tue Jul 04 00:17:48 2000 -0400 Received: by SN1EXCHMBX with Internet Mail Service (5.5.2650.21) id ; Tue, 4 Jul 2000 00:17:42 -0400 Message-ID: <712384017032D411AD7B0001023D799B07C93C@SN1EXCHMBX> From: Nick Evans To: 'Dan Nelson' Cc: "'freebsd-hackers@freebsd.org'" Subject: RE: BPF and Promiscuous Mode Date: Tue, 4 Jul 2000 00:17:34 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFE56E.C75F7B70" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFE56E.C75F7B70 Content-Type: text/plain; charset="iso-8859-1" Exactly, I just tried it and it didn't work :(. Yes you are right on, NFR is a sniffer/ids, but it is based on the OpenBSD kernel and therefore does not support multiple processors. I just tried bridging and it does in fact bridge all interfaces together, but it still does not appear to be mirroring all traffic from one interface to another. Apparently there are issues with IPFilter and FreeBSD... I am going to try OpenBSD and IPFilter tonight. The IPFilter people know that bridging works on OpenBSD, and you can bridge specific interfaces. -----Original Message----- From: Dan Nelson [mailto:dnelson@emsphone.com] Sent: Monday, July 03, 2000 10:34 PM To: Nick Evans Subject: Re: BPF and Promiscuous Mode Is there any reason you're not CC'ing the list? I added it back on my first reply on the assumption you simply forgot, but this email is missing it too. It's good to have exchanges like these in the mailing-list archives, so help other people that might have the same question later. In the last episode (Jul 03), Nick Evans said: > actually it's like this > > --- > | > | <- mirrored port > > | > | > > | | | > | | | > > > the nfr boxes do not have ip's so i just need the traffic duplicated > (so routing is out of the question), but i wanted to use ipfilter to, > get this, filter the traffic so not all the ida's see all the > traffic. the simply cannot handle 600Mbits each... my plan is to put > a gig interface, or two, into the BSD box and several dualport server > adaptors and then segment that traffic down. bridging might work, but > i do not know how to bind certain interfaces together in FreeBSD, > OpenBSD, yes, but not Free... Aahh. An nfr is a sniffer. I assumed that you were load-balancing web servers or something, which was confising me a bit since you don't want to use mirroring for this. For your purposes, mirroring is perfect. I think enabling bridging, and then using ipfilter or ipfw to only allow (say) 1/3 of the Net addresses to each server (assuming you have 3 nfr's), would do what you want. I wonder if NFR will take advantage of multiple CPUs in a single box. That way you don't have to worry about any of this. In the last episode (Jul 03), Nick Evans said: > actually a better question would have been, do you know if you can > bridge multiple interfaces to one other interface lik 4 100mbit nics > to one gigabit nic? I assume so. The bridge manpage mentions the inability to selectively bridge certain interfaces, so the default must be to bridge all ethernet interfaces. You can probably add some filtering rules to make sure you don't re-transmit packets out of your gigabit NICs. -- Dan Nelson dnelson@emsphone.com ------_=_NextPart_001_01BFE56E.C75F7B70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: BPF and Promiscuous Mode

Exactly, I just tried it and it didn't work :(. = Yes you are right on, NFR is a sniffer/ids, but it is based on the = OpenBSD kernel and therefore does not support multiple processors. I = just tried bridging and it does in fact bridge all interfaces together, = but it still does not appear to be mirroring all traffic from one = interface to another. Apparently there are issues with IPFilter and = FreeBSD... I am going to try OpenBSD and IPFilter tonight. The IPFilter = people know that bridging works on OpenBSD, and you can bridge specific = interfaces.

-----Original Message-----
From: Dan Nelson [mailto:dnelson@emsphone.com]
Sent: Monday, July 03, 2000 10:34 PM
To: Nick Evans
Subject: Re: BPF and Promiscuous Mode

Is there any reason you're not CC'ing the list? = I added it back on my
first reply on the assumption you simply forgot, but = this email is
missing it too. It's good to have exchanges = like these in the
mailing-list archives, so help other people that = might have the same
question later.

In the last episode (Jul 03), Nick Evans said:
> actually it's like this
>
> <router> --- <switch>
>       =         =         |
>       =         =         | <- mirrored port
>       =         <freebsdbox>
>       =         =         |
>       =         =         |
>       =      <vlan'd switch>
>       =         = |       = |       |
>       =         = |       = |       |
>       =     <nfr> <nfr> <nfr>
>
> the nfr boxes do not have ip's so i just need = the traffic duplicated
> (so routing is out of the question), but i = wanted to use ipfilter to,
> get this, filter the traffic so not all the = ida's see all the
> traffic. the simply cannot handle 600Mbits = each... my plan is to put
> a gig interface, or two, into the BSD box and = several dualport server
> adaptors and then segment that traffic down. = bridging might work, but
> i do not know how to bind certain interfaces = together in FreeBSD,
> OpenBSD, yes, but not Free...

Aahh. An nfr is a sniffer. I assumed that = you were load-balancing web
servers or something, which was confising me a bit = since you don't want
to use mirroring for this. For your purposes, = mirroring is perfect.

I think enabling bridging, and then using ipfilter or = ipfw to only
allow (say) 1/3 of the Net addresses to each server = (assuming you have
3 nfr's), would do what you want. I wonder if = NFR will take advantage
of multiple CPUs in a single box. That way you = don't have to worry
about any of this.

In the last episode (Jul 03), Nick Evans said:
> actually a better question would have been, do = you know if you can
> bridge multiple interfaces to one other = interface lik 4 100mbit nics
> to one gigabit nic?

I assume so. The bridge manpage mentions the = inability to selectively
bridge certain interfaces, so the default must be to = bridge all
ethernet interfaces. You can probably add some = filtering rules to make
sure you don't re-transmit packets out of your = gigabit NICs.

--
Dan = Nelson
dnelson@emsphone.com

------_=_NextPart_001_01BFE56E.C75F7B70-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message