Date: Fri, 18 Feb 2011 16:16:49 +0100 (CET) From: elof2@sentor.se To: freebsd-net <freebsd-net@freebsd.org> Subject: Request to developers of if_bridge.ko - ETHER_BPF_MTAP vs BPF_MTAP Message-ID: <20110218145213.T51580@deliverator.sentor.se>
next in thread | raw e-mail | index | archive | help
Back in FreeBSD 6.3 and 6.4 there was a bpf-bug in if_bridge.c. This bug was sometimes a nice feature though, since it "normalised" the traffic sent to bpf, making it easier to sniff, analyse and debug the mirrored traffic. My request is for the possibility to have "packet normalisation" turned on based on a sysctl flag. Scenario: I create a bridge0 interface using one or multiple parent NICs. Then I sniff traffic on this cloned NIC (tcpdump -nli bridge0 port 80). Benefit: Multiple NICs are bonded together and can easily be sniffed on ONE interface with ONE sniffer process. Drawback: The problem is that if the sniffer use a bpf filter like "port 80", and the mirrored traffic consist of a mix of untagged and vlan tagged (802.1q) packets, only the untagged packets will match. To see if there are any www-traffic in the mirrored vlans, one need to change the filter to "vlan and port 80", but then you loose the untagged lan. ...catch 22. The bug (feature) in sys/net/if_bridge.c prior to revision 186365 (http://svn.freebsd.org/viewvc/base?view=revision&revision=186365) was that if_bridge sent a copy of a packet to bpf using BPF_MTAP instead of using ETHER_BPF_MTAP. The result was that the sniffer got a copy of packets that had their vlan header (tag) stripped off. In the patched version, the full frame is mirrored to bpf. While this is correct, I'd like the possibility to override and see stripped packets instead. Having a function that simply strips off any vlan tags from tagged packets is wonderful when it comes to sniffing. Especially since switches from all brands behave differently when it comes to SPAN and vlan tags (a SYN could be mirrorred untagged while the corresponding SYN+ACK is mirrored with a vlan tag set). It is also quite common that net admins configure uplink ports with multiple vlans AND an untagged lan. When you SPAN this uplink you get both tagged and untagged traffic in a mix. By normalising the mirrored traffic sent to bpf, a network technician can more easily perform his network debugging. Also, there are less risk of human mistakes due to the lack of insight that he need to use the 'vlan' keyword in his tcpdump/tshark/ngrep/whatever to see the full scope of the traffic. Also state-keeping tools like snort and argus benefit from normalised traffic since they cann't build a correct state table if the SYN and SYN+ACK belong to two different vlans. My request is that if a sysctl variable (like net.link.bridge.bpf.strip_header) equals true, then if_bridge.ko will pass stripped (BPF_MTAP) packets to bpf. By default it should naturally pass the entire frame (ETHER_BPF_MTAP). I know that passing stripped packets to bpf could be seen as ugly and bad, but compared to some of the problems a mixed environment can cause, I think that the possibility to manually override the default would be very useful. (in fact I know it, since I relied on the bug during the FreeBSD 6.3-6.4 period) There are only four places in if_bridge.c that need to be updated to something like this: if (net.link.bridge.bpf.strip_header == 1) BPF_MTAP(bifp, m); else ETHER_BPF_MTAP(bifp, m); The question is if other people besides myself see the benefits? Could we have this feature added to FreeBSD base? What are your thoughts? /Elof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110218145213.T51580>