From owner-freebsd-questions  Fri Mar  8 10:35: 7 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from tiger.fhsu.edu (tiger.fhsu.edu [164.113.60.1])
	by hub.freebsd.org (Postfix) with ESMTP id 518CB37B416
	for <freebsd-questions@FreeBSD.ORG>; Fri,  8 Mar 2002 10:35:03 -0800 (PST)
Subject: netgraph, bpf, and sniffing 2 interfaces
To: freebsd-questions@FreeBSD.ORG
X-Mailer: Lotus Notes Release 5.0.9a  January 7, 2002
Message-ID: <OFDE96AEC7.35F5E431-ON86256B76.00643BC4-86256B76.00661558@fhsu.edu>
From: afleming@fhsu.edu
Date: Fri, 8 Mar 2002 12:35:01 -0600
X-MIMETrack: Serialize by Router on NotesHub/FHSU(Release 5.0.8 |June 18, 2001) at 03/08/2002
 12:35:02 PM
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I have been looking through the netgraph documentation, and searching the
mailing lists and web, but I still nee some help.

I have a program that sniffs IP packets off of an ethernet interface using
BPF (Like tcpdump does).  However I can only sniff packets off the one
interface at a time.  I need to actually sniff packets off of two
interfaces at the sametime, but the program won't use two interfaces.
(Specificaly I have a fiber tap.  Which of course two outputs one for the
transmit for each side of the link.  I want to just hook the tap output
into the receive of two fiber nics.  This works, I can do a tcpdump on one
of the other, but I only see 1/2 of the link.  The software I am using will
only sniff one interface at a time, so I'd have to combine both streams
into one interface before I can see both sides of the conversation.)

I am thinking I can somehow use netgraph to accomplish this.

So what I think I need is to make a virtual netgraph interface and then
sniff packets off of this.

                                           fxp0
                                         /
tcpdump -  bpf   -ng0
                                       \
                                         fxp1

Does anyone have any suggestions on if this is the right way to go.  If so
can anybody help me with the setup.  I have never used netgraph before so
I'm going through a big learning curve here.  I keep running into things
like the fact that ng0 is by default a point to point interface and I don't
know how to change it to broadcast.  I've been doing a lot of searching but
I haven't been able to find anything about sniffing packets off of a
netgraph interface.

Thanks for any help or suggestions anyone can provide.

Andrew Fleming
Fort Hays State University Computing Center
Phone: (785) 628-4433
E-mail: afleming@fhsu.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message