From owner-freebsd-net@FreeBSD.ORG Sat Jan 28 19:52:12 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C683C16A420 for ; Sat, 28 Jan 2006 19:52:12 +0000 (GMT) (envelope-from frank@deze.org) Received: from xs4all.deze.org (deze.xs4all.nl [80.126.117.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DB7F43D49 for ; Sat, 28 Jan 2006 19:52:11 +0000 (GMT) (envelope-from frank@deze.org) Received: from localhost (localhost [127.0.0.1]) by xs4all.deze.org (Postfix) with ESMTP id 5617E1142B for ; Sat, 28 Jan 2006 20:52:10 +0100 (CET) Received: from xs4all.deze.org ([127.0.0.1]) by localhost (drawbridge.deze.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01014-02 for ; Sat, 28 Jan 2006 20:52:06 +0100 (CET) Received: from [192.168.1.2] (corfu [192.168.1.2]) by xs4all.deze.org (Postfix) with ESMTP id C681E11429 for ; Sat, 28 Jan 2006 20:52:06 +0100 (CET) Message-ID: <43DBCB6B.7080504@deze.org> Date: Sat, 28 Jan 2006 20:52:11 +0100 From: Frank User-Agent: Mozilla Thunderbird 1.0.5 (Windows/20050711) X-Accept-Language: en-us, en MIME-Version: 1.0 To: net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at deze.org Cc: Subject: Creating span port using netgraph X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2006 19:52:12 -0000 Hi, I'm trying to setup a "span" Interface for using with snort. Basically, the span interface should receive a copy of all IP packets seen on my real network interfaces, with the purpose that snort can snoop this interface. After reading the manuals, and searching the Internet I came up with the following script: #!/bin/sh # load ng_ether to get ethernet interfaces if ! kldstat -v | grep ng_ether > /dev/null 2>&1; then kldload ng_ether fi # create ngeth0 and bind xl0, xl1, xl2 and xl3 to it ngctl mkpeer . eiface hook ether ngctl mkpeer ngeth0: one2many lower one ngctl connect xl0: ngeth0:lower lower many0 ngctl connect xl1: ngeth0:lower lower many1 ngctl connect xl2: ngeth0:lower lower many2 ngctl connect xl3: ngeth0:lower lower many3 # bring up ngeth0 for sniffing duties ifconfig ngeth0 monitor up After I run this script, all network connections freeze and I lost all IP connectvity. If I tcpdup on any inteface (xl? or ngeth0) no traffic is visible. Maybe I'm overlooking the obvious, but I do not understand why it does not work.... Any help is appreciated! I'm using FreeBSD 6-STABLE. Regards, Frank