Date: Sat, 3 Jan 2004 20:45:08 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Scott Renna <srenna@vdbmusic.com> Cc: freebsd-questions@freebsd.org Subject: Re: problem with 2 nics in same box Message-ID: <20040103204508.GB9278@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <000201c3d238$070d2790$0201a8c0@mars> References: <3FF6FB80.2080807@cream.org> <000201c3d238$070d2790$0201a8c0@mars>
next in thread | previous in thread | raw e-mail | index | archive | help
--5I6of5zJg18YgZEa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Jan 03, 2004 at 03:27:33PM -0500, Scott Renna wrote:
> I am using Snort and a few other tools to decide which I'd like best.
> Here's the thing about Lowell's comment on Bridging. Is this necessary
> in this case? I don't want the interface without an IP to EVER transmit
> outbound. If I Need to enable bridging I'll do so. The other thing is,
> is it possible to configure each card to be on a different subnet(like
> xl1 on 10.X.X.X and xl0 on 192.X.X.X)?
Sounds like you want to put the interface into 'monitor' mode -- see
ifconfig(8). If all you want to do on this box is sniff traffic on
your network, that should be sufficient, although you will have to
configure your switches to pump out a copy of each packet they deal
with to the port your box is connected to. It takes quite a
sophisticated switch to actually have that capability.
I'm not sure if you even need to specify an address for the card when
used in this way: I think it should just pick up any traffic it sees.
There's no problem with having multiple interfaces on sniffing on
multiple networks, or even having the traffic from several networks
all directed to the same interface for sniffing. =20
An alternative way of doing this, which is what I presume Lowell was
on about, is to make the sniffing box a bridge between two network
segments. In this case, you can't use the ifconfig monitor stuff as
the machine will have to forward packets between it's interfaces, and
the machine will have to have one IP number on that network, so it
can't be invisible.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--5I6of5zJg18YgZEa
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQE/9ynUdtESqEQa7a0RAj/QAJ9oLQMc/L0IeEDU7DVeYviQMtdAtwCcDE3Y
lDOd4sdaimGBDhCkRS4Ctpw=
=/Eg6
-----END PGP SIGNATURE-----
--5I6of5zJg18YgZEa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040103204508.GB9278>