From owner-freebsd-questions@FreeBSD.ORG Sat Jan 3 12:45:52 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4597E16A4CE for ; Sat, 3 Jan 2004 12:45:52 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 215B143D77 for ; Sat, 3 Jan 2004 12:45:13 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) i03Kj8xn009595 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 3 Jan 2004 20:45:09 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i03Kj8xD009594; Sat, 3 Jan 2004 20:45:08 GMT (envelope-from matthew) Date: Sat, 3 Jan 2004 20:45:08 +0000 From: Matthew Seaman To: Scott Renna Message-ID: <20040103204508.GB9278@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Scott Renna , 'Andrew Boothman' , freebsd-questions@freebsd.org References: <3FF6FB80.2080807@cream.org> <000201c3d238$070d2790$0201a8c0@mars> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5I6of5zJg18YgZEa" Content-Disposition: inline In-Reply-To: <000201c3d238$070d2790$0201a8c0@mars> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.61 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: problem with 2 nics in same box X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jan 2004 20:45:52 -0000 --5I6of5zJg18YgZEa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 03, 2004 at 03:27:33PM -0500, Scott Renna wrote: > I am using Snort and a few other tools to decide which I'd like best. > Here's the thing about Lowell's comment on Bridging. Is this necessary > in this case? I don't want the interface without an IP to EVER transmit > outbound. If I Need to enable bridging I'll do so. The other thing is, > is it possible to configure each card to be on a different subnet(like > xl1 on 10.X.X.X and xl0 on 192.X.X.X)? Sounds like you want to put the interface into 'monitor' mode -- see ifconfig(8). If all you want to do on this box is sniff traffic on your network, that should be sufficient, although you will have to configure your switches to pump out a copy of each packet they deal with to the port your box is connected to. It takes quite a sophisticated switch to actually have that capability. I'm not sure if you even need to specify an address for the card when used in this way: I think it should just pick up any traffic it sees. There's no problem with having multiple interfaces on sniffing on multiple networks, or even having the traffic from several networks all directed to the same interface for sniffing. =20 An alternative way of doing this, which is what I presume Lowell was on about, is to make the sniffing box a bridge between two network segments. In this case, you can't use the ifconfig monitor stuff as the machine will have to forward packets between it's interfaces, and the machine will have to have one IP number on that network, so it can't be invisible. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --5I6of5zJg18YgZEa Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQE/9ynUdtESqEQa7a0RAj/QAJ9oLQMc/L0IeEDU7DVeYviQMtdAtwCcDE3Y lDOd4sdaimGBDhCkRS4Ctpw= =/Eg6 -----END PGP SIGNATURE----- --5I6of5zJg18YgZEa--