From owner-freebsd-security@FreeBSD.ORG  Wed Jan 21 13:38:35 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 47A3316A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 21 Jan 2004 13:38:35 -0800 (PST)
Received: from web60809.mail.yahoo.com (web60809.mail.yahoo.com
	[216.155.196.72])
	by mx1.FreeBSD.org (Postfix) with SMTP id 27B3A43D1F
	for <freebsd-security@freebsd.org>;
	Wed, 21 Jan 2004 13:38:34 -0800 (PST)
	(envelope-from richard_bejtlich@yahoo.com)
Message-ID: <20040121213833.57935.qmail@web60809.mail.yahoo.com>
Received: from [68.84.6.72] by web60809.mail.yahoo.com via HTTP;
	Wed, 21 Jan 2004 13:38:33 PST
Date: Wed, 21 Jan 2004 13:38:33 -0800 (PST)
From: Richard Bejtlich <richard_bejtlich@yahoo.com>
To: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: interface bonding
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2004 21:38:35 -0000

Hello,

On 9 Jan 04 I posted a method for bonding interfaces
using netgraph for purposes of sniffing tap outputs as
a single virtual interface.  Unfortunately, the method
I posted creates two copies of every packet.

I have used the following to successfully collect only
one copy of packets sent from the two TX streams of a
network tap:

#!/bin/sh
# sf2 and sf3 are real interfaces which receive tap 
# outputs; ngeth0 is created by ngctl

# ng_ether must be loaded so netgraph can "see" the 
# real interfaces sf2 and sf3
kldload ng_ether

# bring up the real interfaces
ifconfig sf2 promisc -arp up
ifconfig sf3 promisc -arp up

# create ngeth0 and bind sf2 and sf3 to it
ngctl mkpeer . eiface hook ether
ngctl mkpeer ngeth0: one2many lower one
ngctl connect sf2: ngeth0:lower lower many0
ngctl connect sf3: ngeth0:lower lower many1

# bring up ngeth0 for sniffing duties
ifconfig ngeth0 -arp up

--

Sorry for the confusion earlier.  I appreciate any
comments on how to improve this method.  Please check
my 9 Jan post to see the setup which created the dual
packets.

Sincerely,

Richard Bejtlich
http://www.taosecurity.com 

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus