Date: Tue, 12 Aug 2014 16:26:59 -0400 From: "Joseph Ward" <jbward@hilltopgroup.com> To: <freebsd-net@freebsd.org> Subject: SPAN port doesn't pick up locally generated traffic Message-ID: <08b701cfb66b$c4ee4820$4ecad860$@com>
next in thread | raw e-mail | index | archive | help
Hi, I have built a firewall/routing box utilizing FreeBSD and need to mirror all of the lan-side traffic before it is NATed to another box which will have traffic analysis software running on it. The firewall box has 4 interfaces: 3 wired (re0, re1, re2) and 1 wireless (ath0). re0 is the internet port (WAN), re1 and ath0 are bridged into bridge0 which has my LAN IP (so that both my wired and wireless systems are all on the same physical network), and re2 is a member of bridge0 as a SPAN port. A tcpdump on the SPAN (and on the analysis box) shows that all packets which enter the system via ath0 and re1 are mirrored appropriately, but if the packets originate either on the WAN port (re1) or internal to the firewall box (ping a LAN endpoint from the firewall shell) the packets are not present on the SPAN port. tcpdump on bridge0 captures the packets, so they're definitely on the bridge. In order to eliminate all possibilities I ran a liveCD of FreeBSD 10 on a box with 4 interfaces with em0 and em1 bridged together into bridge0 with em3 as a SPAN port for bridge0. No firewall, no ports, nothing has been installed or configured. On this box, any packets which physically enter either em0 or em1 (the bridged interfaces) are SPANned, but nothing that originates on the fresh box shows up on the SPAN. Again, the packets originating on the system show up on a tcpdump of bridge0. I'm not much of a system-level programmer, but it certainly looks as if my expected behavior is "proper" based on if_bridge.c and the comment before "bridge_output" function which definitely has a "bridge_span" call when sending unicast with locally generated traffic which is what I'm doing here. Am I missing something? A configuration variable somewhere perhaps? Or is this a bug somewhere? Any help would be greatly appreciated!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08b701cfb66b$c4ee4820$4ecad860$>