----- Forwarded message from John <strgout@mail.unixjunkie.com> ----- Date: Mon, 15 Dec 2003 17:58:15 -0600 From: John <strgout@mail.unixjunkie.com> To: freebsd-stable@freebsd.org Subject: interface bonding User-Agent: Mutt/1.4i Is there any way to bond sniffer interfaces? I've read a little on netgraph and it seems like i maybe able to use that but i'm not sure how to go about that. Basicly the end result is to have snort listen on a virtual interface, which will have data sent to it from say fxp0 and fxp1. I also want to make sure that data from fxp0, fxp1 or $VIRTUAL doesn't get sent out fxp1 or fxp0 for some reason. ----- End forwarded message ----- I'm sure i checked this before, but a google search turned up this. ngctl mkpeer fec dummy fec ngctl msg fec0: add_iface '"sf2"' ngctl msg fec0: add_iface '"sf3"' ngctl msg fec0: set_mode_inet ifconfig sf2 promisc ifconfig sf3 promisc ifconfig fec0 promisc after this fec0 will be the virtual if that gets the frames. This does depend on the fec module. # cd /usr/src/sys/modules/netgraph/fec/ # make && make install http://taosecurity.blogspot.com/ <- this is where i found it. which points out this poster. http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ids/2003-10/0029.html So is there a reason the netgraph fec module isn't built by default?
John <strgout@unixjunkie.com> writes: |----- Forwarded message from John <strgout@mail.unixjunkie.com> ----- | |Date: Mon, 15 Dec 2003 17:58:15 -0600 |From: John <strgout@mail.unixjunkie.com> |To: freebsd-stable@freebsd.org |Subject: interface bonding |User-Agent: Mutt/1.4i | |Is there any way to bond sniffer interfaces? |I've read a little on netgraph and it seems |like i maybe able to use that but i'm not sure |how to go about that. | |Basicly the end result is to have snort listen on |a virtual interface, which will have data sent to |it from say fxp0 and fxp1. I also want to make sure that |data from fxp0, fxp1 or $VIRTUAL doesn't get sent out |fxp1 or fxp0 for some reason. | |----- End forwarded message ----- | |I'm sure i checked this before, but a google search turned up this. | |ngctl mkpeer fec dummy fec |ngctl msg fec0: add_iface '"sf2"' |ngctl msg fec0: add_iface '"sf3"' |ngctl msg fec0: set_mode_inet |ifconfig sf2 promisc |ifconfig sf3 promisc |ifconfig fec0 promisc | |after this fec0 will be the virtual if that gets the frames. | |This does depend on the fec module. |# cd /usr/src/sys/modules/netgraph/fec/ |# make && make install | |http://taosecurity.blogspot.com/ <- this is where i found it. |which points out this poster. |http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ids/2003-10 |/0029.html | |So is there a reason the netgraph fec module isn't built by default? Yes. It's not very stable. Better use ng_one2many. |_______________________________________________ |freebsd-security@freebsd.org mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-security |To unsubscribe, send any mail to |"freebsd-security-unsubscribe@freebsd.org" | ---- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031216/9693f46f/attachment.bin
And here i was about to ask if there was something wrong with freebsd-stable. DOH! :)
Hello, I operate http://taosecurity.blogspot.com and http://www.taosecurity.com. I posted a method to use ng_one2many for bonding interfaces here in June: http://marc.theaimsgroup.com/?l=snort-users&m=105585533810122&w=2 That method relies on three real interfaces: the two to be bonded and a third against which traffic is mirrored. I've not had luck creating a third "virtual" interface against which to sniff. Using ng_fec, however, a fec0 interface us created automatically. That's what I'm using now on my NSM sensor and it works fine. I appreciate any hints on creating a virtual interface to use for sniffing with ng_one2many. If you can help me do that I'll use ng_one2many instead of ng_fec. ng_fec doesn't have a man page, which is enough for me to avoid it if possible. :) Thank you, Richard http://www.taosecurity.com __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Thanks to Dmitry's tip on ng_eiface, I'm happy to report using the following configuration to bond interfaces with ng_one2many and a virtual interface ngeth0. sf2 and sf3 are real interfaces connected to my 10/100 tap. -- kldload ng_ether kldload ng_one2many ifconfig sf2 promisc -arp up ifconfig sf3 promisc -arp up ngctl mkpeer . eiface hook ether ngctl mkpeer ngeth0: one2many lower one ngctl connect sf2: ngeth0:lower lower many0 ngctl connect sf3: ngeth0:lower lower many1 ifconfig ngeth0 -arp up -- It works: bourque# tcpdump -n -i ngeth0 icmp tcpdump: WARNING: ngeth0: no IPv4 address assigned tcpdump: listening on ngeth0 13:42:49.322474 86.84.6.72 > 216.239.39.99: icmp: echo request 13:42:49.340745 216.239.39.99 > 86.84.6.72: icmp: echo reply Sincerely, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Ruslan wisely encouraged me to post the end result of my interface bonding quest. Here's how I bring up interfaces sf2 and sf3 against a new ngeth0 interface. I sniff the ngeth0 interface to see both TX outputs from my NetOptics tap: kldload ng_ether ifconfig sf2 promisc -arp up ifconfig sf3 promisc -arp up ngctl -f - << EOF mkpeer eiface dummy ether name .:dummy bond0 EOF ngctl mkpeer bond0: one2many ether one ngctl connect sf2: bond0:ether lower many0 ngctl connect sf3: bond0:ether lower many1 ifconfig ngeth0 -arp up Thanks to everyone who provided input. Sincerely, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus
Hello, On 9 Jan 04 I posted a method for bonding interfaces using netgraph for purposes of sniffing tap outputs as a single virtual interface. Unfortunately, the method I posted creates two copies of every packet. I have used the following to successfully collect only one copy of packets sent from the two TX streams of a network tap: #!/bin/sh # sf2 and sf3 are real interfaces which receive tap # outputs; ngeth0 is created by ngctl # ng_ether must be loaded so netgraph can "see" the # real interfaces sf2 and sf3 kldload ng_ether # bring up the real interfaces ifconfig sf2 promisc -arp up ifconfig sf3 promisc -arp up # create ngeth0 and bind sf2 and sf3 to it ngctl mkpeer . eiface hook ether ngctl mkpeer ngeth0: one2many lower one ngctl connect sf2: ngeth0:lower lower many0 ngctl connect sf3: ngeth0:lower lower many1 # bring up ngeth0 for sniffing duties ifconfig ngeth0 -arp up -- Sorry for the confusion earlier. I appreciate any comments on how to improve this method. Please check my 9 Jan post to see the setup which created the dual packets. Sincerely, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus