[Snort-users] Combining NIC interfaces on FreeBSD

Richard Bejtlich richard_bejtlich at ...131...
Tue Jun 17 05:39:40 EDT 2003


This message is intended as a reply to Paul Powenski
on his question of taps and combining NIC interfaces.

Thanks to help from Andrew Fleming of the Fort Hays
State University Computing Center, I was able to get
my FreeBSD 5.0 REL box to "mirror" two interfaces onto
a third interface via netgraph(4).  I am still
researching exactly how the syntax works, since it was
a result of Andrew's advice plus trial-and-error.

My box has an Adaptec ANA-62044
(http://www.adaptec.com/worldwide/support/suppdetail.html?prodkey=ANA-62044)
quad NIC with interfaces sf0, sf1, sf2, and sf3.  

I'm pinging Google in the following examples to show
how the setup works.  

sf0 receives one tap output and sees traffic from the
Internet to my local network:

archangel# tcpdump -n -i sf0 icmp
tcpdump: WARNING: sf0: no IPv4 address assigned
tcpdump: listening on sf0
09:59:47.405557 216.239.39.99 > 66.84.139.55: icmp:
echo reply
09:59:48.410259 216.239.39.99 > 66.84.139.55: icmp:
echo reply

sf1 receives the other tap output and sees traffic
from my local network to the Internet:

tcpdump: WARNING: sf1: no IPv4 address assigned
tcpdump: listening on sf1
09:59:47.392652 66.84.139.55 > 216.239.39.99: icmp:
echo request
09:59:48.396558 66.84.139.55 > 216.239.39.99: icmp:
echo request
 
sf2 is a real interface, but via netgraph it sees both
sf0 and sf1:

archangel# tcpdump -n -i sf2 icmp
tcpdump: listening on sf2
09:59:47.420730 66.84.139.55 > 216.239.39.99: icmp:
echo request
09:59:47.420742 216.239.39.99 > 66.84.139.55: icmp:
echo reply
09:59:49.401587 66.84.139.55 > 216.239.39.99: icmp:
echo request
09:59:49.401600 216.239.39.99 > 66.84.139.55: icmp:
echo reply

Here is the script I use to configure the interfaces. 
It is based on Andrew's input, this article
(http://www.daemonnews.org/200003/netgraph.html), and
several newsgroup postings:

--

kldload /boot/kernel/ng_ether.ko
kldload /boot/kernel/ng_one2many.ko
ifconfig sf0 up
ifconfig sf1 up
ifconfig sf2 10.10.10.10 netmask 255.255.255.0 up

ngctl list
ngctl mkpeer sf2: one2many lower one
ngctl connect sf0: sf2:lower lower many0
ngctl connect sf1: sf2:lower lower many1

ngctl msg sf0: setpromisc 1
ngctl msg sf1: setpromisc 1

ngctl msg sf2:lower setconfig "{ xmitAlg=1 failAlg=1
enabledLinks=[ 1 1 ] }"

--

Since you saw me run tcpdump against sf2, you can
imagine running snort, argus, trafd, and any other app
which listens on a promiscuous interface.

I have several "to-do" items for this.  

1.  Document exactly how the ngctl commands do their
magic.
2.  Determine if I can create a completely "virtual"
interface to free sf2 for other duties.  sf2 is
currently a real interfgace without a cable.  It just
mirrors sf0 and sf1.
3.  Stress-test the setup to see how well netgraph
handles high traffic loads.  Notice the timestamp
differences between sf0/sf1 and sf2.

Sincerely,

Richard Bejtlich
richard at taosecurity dot com
http://taosecurity.com


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com




More information about the Snort-users mailing list