Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 02 Feb 2006 17:28:12 +0000
From:      "Shawn Saunders" <saundersconsult@hotmail.com>
To:        freebsd-net@freebsd.org
Cc:        dionch@freemail.gr
Subject:   Re: Trying to make a Host into a gigabit hub for testing
Message-ID:  <BAY115-F27FDBF43C06E52B9B7431ABA0A0@phx.gbl>
next in thread | raw e-mail | index | archive | help 
Chris and others,

This is an update on the configuration you helped me with several months 
ago.
I don't have the specific numbers but approximates, as the machines were 
being reset weekly, because of reconfigurations in the IDS's.  So the port 
statistics were also reset to provide accuracy as ethernet connections went 
up and down upon the IDS's reset.
Based upon a configuration, of two networks in with each having 4 ports out 
(using one2many).
All ports being Gigibit ethernet on PCI-X bus, Intel Cards, and Opteron 
Server with 8 GB RAM.

Network 1:
Approximately 5 million to 7 million alerts per day, as registered by both 
snort, and ISS.  Alerts generated against a group of both virtual and real 
machines (approximately 200).  Approximately 18 million packets per day.  We 
had customized alert rules to obtain the alert load necessary for our 
testing protocol.

Less than 1% packet loss between interfaces.

There were a couple weeks where it made it to almost 2%, but that was when 
we had up to 30 million packets per day over our networks.

Now this is only counting the packet losses over the netgraph interfaces, 
not what may have happened on the overburdened networks themselves.

We used various tools and customizations, such as Nmap, hping, nessus, ftp, 
http and smtp with cron, on both windows and *nix systems to generate a 
cross-section of simulated traffic.

Hope this was helpful.

Now we are performing a new test, and the requirements have changed.  I am 
having difficulty as one2many will not perform what I need.

The following is a layout of the type of configuration, and I have tried 
one2many and hub, but was unable to obtain the desired results.  Whenever I 
try to set multiple hooks to the same interface it fails, and trying to 
bring a group of interfaces to a virtual interface, and then take that 
virtual interface out multiple different interfaces, seems to fail (I can't 
even make the connection to the virtual interface to go to multiple outs.)

I will have 11 interfaces inbound from 11 different networks.
I will have 4 outbound to 4 different IDS's and sensors.
I would like to have 11 interfaces come into a single virtual interface.  
This way I could run tcpdump and/or snort on the box itself and obtain quick 
info, and do validation of packet data, between the capture system and the 
IDS and sensors.
I would like to redirect all the traffic from that one virtual interface to 
a group of 4 physical interfaces so the sensors can work on it.

Here is a configuration I tried.  Any comments or suggestions are 
appreciated.
This initial script, only takes 3 input interfaces into a single virtual 
interface.  This works.
Then when I try to take that virtual interface and echo it out multiple 
interfaces, it fails.

#!/bin/sh
# Initialize and bring up all interfaces
for i in 0 1 2 3 4 5 6 7 8 9 10 11
do /sbin/ifconfig em$i up
done
for g in 0 1
do /sbin/ifconfig bge$g up
done
/sbin/ifconfig fxp0 up
# Load needed kernel modules
/sbin/kldload /boot/kernel/ng_ether.ko
/sbin/kldload /boot/kernel/ng_one2many.ko
/sbin/kldload /boot/kernel/ng_fec.ko
# Create Virtual Interface
/usr/sbin/ngctl mkpeer fec dummy fec
# Bind physical input interfaces to virtual interface
/usr/sbin/ngctl msg fec0: add_iface '"em0"'
/usr/sbin/ngctl msg fec0: add_iface '"em1"'
/usr/sbin/ngctl msg fec0: add_iface '"em2"'
# Set forwarding mode to mac address layer.
/usr/sbin/ngctl msg fec0: set_mode_mac
# Configure the virtual interface to deliver packets out the others
ngctl mkpeer fec0: one2many upper one
ngctl name fec0:upper secur
ngctl connect bge0: secur: upper many0
ngctl connect bge1: secur: upper many1
ngctl msg secur: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
# Set all interfaces Promisc mode and turn off autosrc routing
for s in 0 1 2 3 4 5 6 7 8 9 10 11
  do /usr/sbin/ngctl msg em$s: setpromisc 1
  /usr/sbin/ngctl msg em$s: setautosrc 0
  done
for t in 0 1
  do /usr/sbin/ngctl msg bge$t: setpromisc 1
  /usr/sbin/ngctl msg bge$t: setautosrc 0
  done
#EOF

Before sending 3 pings accross em2:
gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ; netstat -I 
em2

Name    Mtu Network       Address                Ipkts Ierrs    Opkts Oerrs  
Coll
bge0     1500                  00:e0:81:32:f4:52        0     0        5     
0     0
bge0     1500 fe80:b::2e0:8 fe80:b::2e0:81ff:        0     -        4     -  
    -
Name    Mtu Network       Address                Ipkts Ierrs    Opkts Oerrs  
Coll
bge1     1500                  00:e0:81:32:f4:53        0     0        0     
0     0
bge1     1500 fe80:c::2e0:8 fe80:c::2e0:81ff:        0     -        4     -  
    -
Name    Mtu Network       Address                Ipkts Ierrs    Opkts Oerrs  
Coll
fec0*    1500                 00:04:23:c1:0e:50       11     0        0     
0     0
Name    Mtu Network       Address                Ipkts Ierrs    Opkts Oerrs  
Coll
em2      1500                00:04:23:c1:0e:50       41     0        5     0 
     0
em2      1500 fe80:5::204:2 fe80:5::204:23ff:       0     -        4     -   
   -

After sending 3 pings accross em2:
gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ; netstat -I 
em2
Name    Mtu Network       Address              Ipkts Ierrs    Opkts Oerrs  
Coll
bge0     1500                00:e0:81:32:f4:52        0     0        5     0 
     0
bge0     1500 fe80:b::2e0:8 fe80:b::2e0:81ff:        0     -        4     -  
    -
Name    Mtu Network        Address              Ipkts Ierrs    Opkts Oerrs  
Coll
bge1     1500      00:e0:81:32:f4:53                   0     0        0     
0     0
bge1     1500 fe80:c::2e0:8 fe80:c::2e0:81ff:       0     -        4     -   
   -
Name    Mtu Network       Address               Ipkts Ierrs    Opkts Oerrs  
Coll
fec0*    1500      00:04:23:c1:0e:50                 15     0        0     0 
     0
Name    Mtu Network       Address               Ipkts Ierrs    Opkts Oerrs  
Coll
em2     1500       00:04:23:c1:0e:50                45     0        5     0  
    0
em2     1500 fe80:5::204:2 fe80:5::204:23ff:      0     -        4     -     
-

Shawn Saunders

>From: Chris Dionissopoulos Reply-To: dionch@freemail.gr To: Shawn Saunders 
>Subject: Re: Trying to make a Host into a gigabit hub for testing Date: 
>Fri, 21 Oct 2005 03:49:31 +0300
>
>Great news!! It was just a thought that might work, and this shcema of 
>ng_one2many is undocumented (google included).
>
>If is not difficult for you, could you provide the list with some real life 
>benchmarks?
>
>Chris.
>
>
>Shawn Saunders wrote:
>
>>Chris,
>>
>>Ignore the last note.  It is working, with the correction you gave me 
>>below.  Working Great.
>>
>>Thanks for all your help.
>>
>>Shawn
>
>
>____________________________________________________________________ 
>http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. 
>http://www.freemail.gr - free email service for the Greek-speaking.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY115-F27FDBF43C06E52B9B7431ABA0A0>