[Snort-users] Taps

Bennett Todd bet at ...6163...
Mon Jun 16 07:00:28 EDT 2003

2003-06-16T08:30:47 Poppi, Sandro:
> I've been using linux' "channel bonding" feature with [ to
> aggregate traffic from multiple NICs into a single snort ]
> Worked without probs (as far as I remember ;)

No problems, but a couple of warnings.

(1) Unless you're using a very recent (not yet integrated into any
    standard kernel dist as far as I know) bonding driver, you
    _must_ ifconfig the bond0 interface promisc before you
    ifenslave --- until very recently, the bonding driver doesn't
    propogate promisc mode down to the enslaved interfaces except at
    ifenslave time; snort's setting the interface promisc won't

(2) When you ifenslave unnumbered interfaces, ifenslave howls, all
    sorts of warnings about its inability to propogate addresses
    back and forth. These can be safely ignored, it works fine.

The above caveats notwithstanding, this setup works great, I don't
know a better way to aggregate traffic from multiple NICs into one
snort --- on Linux. This is very very low overhead, and simple.

Other platforms will of course need other solutions. I don't know
what's the recommended approach with OpenBSD.

