From owner-freebsd-net@FreeBSD.ORG  Sat Dec  8 10:41:12 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A8E0B16A419
	for <freebsd-net@freebsd.org>; Sat,  8 Dec 2007 10:41:12 +0000 (UTC)
	(envelope-from thompsa@FreeBSD.org)
Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz
	[203.109.251.39])
	by mx1.freebsd.org (Postfix) with ESMTP id 553B513C447
	for <freebsd-net@freebsd.org>; Sat,  8 Dec 2007 10:41:12 +0000 (UTC)
	(envelope-from thompsa@FreeBSD.org)
Received: by heff.fud.org.nz (Postfix, from userid 1001)
	id 9ACE478C7; Sat,  8 Dec 2007 23:41:10 +1300 (NZDT)
Date: Sat, 8 Dec 2007 23:41:10 +1300
From: Andrew Thompson <thompsa@FreeBSD.org>
To: Peter Wood <peter@alastria.net>
Message-ID: <20071208104110.GB75826@heff.fud.org.nz>
References: <4755EFDD.8070609@isc.org>
	<20071205021851.V87930@fledge.watson.org>
	<ad79ad6b0712050100p90a1917w5440e06a94f816e7@mail.gmail.com>
	<20071205093244.U87930@fledge.watson.org>
	<20071205094657.P87930@fledge.watson.org>
	<475A735F.8000907@alastria.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <475A735F.8000907@alastria.net>
User-Agent: Mutt/1.5.16 (2007-06-09)
Cc: freebsd-net@freebsd.org
Subject: Re: Aggregating many ports into one for tcpdump server. (also
	sampling before libpcap)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Dec 2007 10:41:12 -0000

On Sat, Dec 08, 2007 at 10:35:11AM +0000, Peter Wood wrote:
> Morning,
>
> >>> Looking thru the archives, it seems ng_one2many (in this case
> >>> 'many2one') is what I am looking for.  Am I barking the right tree 
> here?
>
> Strangely enough this is the exact situation I was looking into on Friday 
> for two mirror ports from our border routers via aggregation switches.
>
> I had seen the netgraph solution however I had initially ignored if_bridge 
> as I don't want the packets to be sent to the opposing devices.

Thats why you combine if_bridge with monitor mode, any incoming packets
are discarded after bpf processing so they are never sent to opposing
devices.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html#AEN40035


regards,
Andrew