[Snort-users] Combining NIC interfaces on FreeBSD

Richard Bejtlich richard_bejtlich at ...131...
Tue Jun 17 05:39:40 EDT 2003

This message is intended as a reply to Paul Powenski
on his question of taps and combining NIC interfaces.

Thanks to help from Andrew Fleming of the Fort Hays
State University Computing Center, I was able to get
my FreeBSD 5.0 REL box to "mirror" two interfaces onto
a third interface via netgraph(4).  I am still
researching exactly how the syntax works, since it was
a result of Andrew's advice plus trial-and-error.

My box has an Adaptec ANA-62044
quad NIC with interfaces sf0, sf1, sf2, and sf3.  

I'm pinging Google in the following examples to show
how the setup works.  

sf0 receives one tap output and sees traffic from the
Internet to my local network:

archangel# tcpdump -n -i sf0 icmp
tcpdump: WARNING: sf0: no IPv4 address assigned
tcpdump: listening on sf0
09:59:47.405557 > icmp:
echo reply
09:59:48.410259 > icmp:
echo reply

sf1 receives the other tap output and sees traffic
from my local network to the Internet:

tcpdump: WARNING: sf1: no IPv4 address assigned
tcpdump: listening on sf1
09:59:47.392652 > icmp:
echo request
09:59:48.396558 > icmp:
echo request
sf2 is a real interface, but via netgraph it sees both
sf0 and sf1:

archangel# tcpdump -n -i sf2 icmp
tcpdump: listening on sf2
09:59:47.420730 > icmp:
echo request
09:59:47.420742 > icmp:
echo reply
09:59:49.401587 > icmp:
echo request
09:59:49.401600 > icmp:
echo reply

Here is the script I use to configure the interfaces. 
It is based on Andrew's input, this article
(http://www.daemonnews.org/200003/netgraph.html), and
several newsgroup postings:


kldload /boot/kernel/ng_ether.ko
kldload /boot/kernel/ng_one2many.ko
ifconfig sf0 up
ifconfig sf1 up
ifconfig sf2 netmask up

ngctl list
ngctl mkpeer sf2: one2many lower one
ngctl connect sf0: sf2:lower lower many0
ngctl connect sf1: sf2:lower lower many1

ngctl msg sf0: setpromisc 1
ngctl msg sf1: setpromisc 1

ngctl msg sf2:lower setconfig "{ xmitAlg=1 failAlg=1
enabledLinks=[ 1 1 ] }"


Since you saw me run tcpdump against sf2, you can
imagine running snort, argus, trafd, and any other app
which listens on a promiscuous interface.

I have several "to-do" items for this.  

1.  Document exactly how the ngctl commands do their
2.  Determine if I can create a completely "virtual"
interface to free sf2 for other duties.  sf2 is
currently a real interfgace without a cable.  It just
mirrors sf0 and sf1.
3.  Stress-test the setup to see how well netgraph
handles high traffic loads.  Notice the timestamp
differences between sf0/sf1 and sf2.


Richard Bejtlich
richard at taosecurity dot com

Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!

More information about the Snort-users mailing list