From owner-freebsd-questions Wed Oct 23 9:50:47 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37D1437B401 for ; Wed, 23 Oct 2002 09:50:46 -0700 (PDT) Received: from wheeljack.redlamb.net (wheeljack.redlamb.net [65.240.12.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB74443E75 for ; Wed, 23 Oct 2002 09:50:45 -0700 (PDT) (envelope-from redlamb@redlamb.net) Received: from mirage.redlamb.net (optimusprime.redlamb.net [208.210.151.74]) by wheeljack.redlamb.net (Postfix) with ESMTP id BDFF83FEB6 for ; Wed, 23 Oct 2002 11:50:05 -0500 (CDT) Received: by mirage.redlamb.net (Postfix, from userid 1000) id 870EC27A; Wed, 23 Oct 2002 11:49:56 -0500 (CDT) Date: Wed, 23 Oct 2002 11:49:56 -0500 From: Peter Erickson To: freebsd-questions@freebsd.org Subject: ethernet tap and netgraph Message-ID: <20021023164956.GA28440@redlamb.net> Mail-Followup-To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I am in the process of adding a machine running Snort to my network and I a= m having problems getting it to work correctly. My problem is that I bought= a network tap (Finisar UTP/1) and have connected the ports (A and B) to th= e link in between my internet router and firewall. I then connected the tap= ports to 2 different nics on a machine running 4.6 and Snort 1.9.0. Now th= e problem is that snort will only watch one interface so i cant tell it to = watch both directions of traffic. I believe that there is a way to use netg= raph to bind the 2 interfaces connected to the network tap together so that= I can use snort to monitor both directions of traffic, but Im not too sure= on how to do it. I have tried using nf_fec and ng_one2many, but i have had= no luck with either one. So my question is this: Does anyone know of a way= to bind 2 nics together so that I can use Snort to monitor ALL traffic com= ing in on both of them? If it matters, I am not assigning an ip address to = the nics either. Thanks in advance. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message