[Snort-users] Combining two FreeBSD interfaces using Netgraph, part 2

Richard Bejtlich richard_bejtlich at ...131...
Mon Dec 22 11:14:16 EST 2003

Hello all,

People often ask how to combine two tap outputs such
that they can be monitored as a single stream.  

Previously I posted a way to bond two interfaces using
FreeBSD's netgraph facility and ng_one2many.  That
initial method "wasted" a real third interface against
which a sniffing program would be run:


Recently I developed a way to bond two interfaces
using ng_fec that created a virtual fec0 interface:


I was advised that using ng_one2many was a better idea
because ng_fec wasn't considered to be very stable,
although I've used it successfully for the last three

Today I figured out how to create a virtual third
interface and use it with ng_one2many.  Here's how:

# sf2 and sf3 are real interfaces which receive tap
outputs; ngeth0 is created by ngctl

# ng_ether must be loaded so netgraph can "see" the
real interfaces sf2 and sf3
kldload ng_ether

# bring up the real interfaces
ifconfig sf2 promisc -arp up
ifconfig sf3 promisc -arp up

# create ngeth0 and bind sf2 and sf3 to it
ngctl mkpeer . eiface hook ether
ngctl mkpeer ngeth0: one2many lower one
ngctl connect sf2: ngeth0:lower lower many0
ngctl connect sf3: ngeth0:lower lower many1

# bring up ngeth0 for sniffing duties
ifconfig ngeth0 -arp up

The various ngctl statements automatically load the
required KLDs, although ng_ether must be loaded first
as noted.  The result looks like:

bourque# kldstat
Id Refs Address    Size     Name
 1    6 0xc0100000 43d388   kernel
 2    1 0xc20d4000 3000     ng_ether.ko
 3    3 0xc20d8000 9000     netgraph.ko
 4    1 0xc20e8000 3000     ng_socket.ko
 5    1 0xc20ec000 3000     ng_eiface.ko
 6    1 0xc20ef000 3000     ng_one2many.ko

Sniffing works:

bourque# tcpdump -n -i ngeth0 icmp
tcpdump: WARNING: ngeth0: no IPv4 address assigned
tcpdump: listening on ngeth0
13:42:49.322474 > icmp: echo
13:42:49.340745 > icmp: echo


Richard Bejtlich

Do you Yahoo!?
Free Pop-Up Blocker - Get it now

More information about the Snort-users mailing list