Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Jul 2000 00:17:34 -0400 
From:      Nick Evans <nevans@nextvenue.com>
To:        'Dan Nelson' <dnelson@emsphone.com>
Cc:        "'freebsd-hackers@freebsd.org'" <freebsd-hackers@freebsd.org>
Subject:   RE: BPF and Promiscuous Mode
Message-ID:  <712384017032D411AD7B0001023D799B07C93C@SN1EXCHMBX>

next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01BFE56E.C75F7B70
Content-Type: text/plain;
	charset="iso-8859-1"

Exactly, I just tried it and it didn't work :(.  Yes you are right on, NFR
is a sniffer/ids, but it is based on the OpenBSD kernel and therefore does
not support multiple processors. I just tried bridging and it does in fact
bridge all interfaces together, but it still does not appear to be mirroring
all traffic from one interface to another. Apparently there are issues with
IPFilter and FreeBSD... I am going to try OpenBSD and IPFilter tonight. The
IPFilter people know that bridging works on OpenBSD, and you can bridge
specific interfaces.

-----Original Message-----
From: Dan Nelson [mailto:dnelson@emsphone.com]
Sent: Monday, July 03, 2000 10:34 PM
To: Nick Evans
Subject: Re: BPF and Promiscuous Mode



Is there any reason you're not CC'ing the list?  I added it back on my
first reply on the assumption you simply forgot, but this email is
missing it too.  It's good to have exchanges like these in the
mailing-list archives, so help other people that might have the same
question later.

In the last episode (Jul 03), Nick Evans said:
> actually it's like this
> 
> <router> --- <switch>
> 			|
> 			| <- mirrored port
> 		<freebsdbox>
> 			|
> 			|
> 	     <vlan'd switch>
> 		|	|	|
> 		|	|	|
> 	    <nfr> <nfr> <nfr>
> 
> the nfr boxes do not have ip's so i just need the traffic duplicated
> (so routing is out of the question), but i wanted to use ipfilter to,
> get this, filter the traffic so not all the ida's see all the
> traffic. the simply cannot handle 600Mbits each... my plan is to put
> a gig interface, or two, into the BSD box and several dualport server
> adaptors and then segment that traffic down. bridging might work, but
> i do not know how to bind certain interfaces together in FreeBSD,
> OpenBSD, yes, but not Free...

Aahh.  An nfr is a sniffer.  I assumed that you were load-balancing web
servers or something, which was confising me a bit since you don't want
to use mirroring for this.  For your purposes, mirroring is perfect.

I think enabling bridging, and then using ipfilter or ipfw to only
allow (say) 1/3 of the Net addresses to each server (assuming you have
3 nfr's), would do what you want.  I wonder if NFR will take advantage
of multiple CPUs in a single box.  That way you don't have to worry
about any of this.

In the last episode (Jul 03), Nick Evans said:
> actually a better question would have been, do you know if you can
> bridge multiple interfaces to one other interface lik 4 100mbit nics
> to one gigabit nic?

I assume so.  The bridge manpage mentions the inability to selectively
bridge certain interfaces, so the default must be to bridge all
ethernet interfaces.  You can probably add some filtering rules to make
sure you don't re-transmit packets out of your gigabit NICs.

-- 
	Dan Nelson
	dnelson@emsphone.com

------_=_NextPart_001_01BFE56E.C75F7B70
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2652.35">
<TITLE>RE: BPF and Promiscuous Mode</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Exactly, I just tried it and it didn't work :(.&nbsp; =
Yes you are right on, NFR is a sniffer/ids, but it is based on the =
OpenBSD kernel and therefore does not support multiple processors. I =
just tried bridging and it does in fact bridge all interfaces together, =
but it still does not appear to be mirroring all traffic from one =
interface to another. Apparently there are issues with IPFilter and =
FreeBSD... I am going to try OpenBSD and IPFilter tonight. The IPFilter =
people know that bridging works on OpenBSD, and you can bridge specific =
interfaces.</FONT></P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Dan Nelson [<A =
HREF=3D"mailto:dnelson@emsphone.com">mailto:dnelson@emsphone.com</A>]</F=
ONT>
<BR><FONT SIZE=3D2>Sent: Monday, July 03, 2000 10:34 PM</FONT>
<BR><FONT SIZE=3D2>To: Nick Evans</FONT>
<BR><FONT SIZE=3D2>Subject: Re: BPF and Promiscuous Mode</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>Is there any reason you're not CC'ing the list?&nbsp; =
I added it back on my</FONT>
<BR><FONT SIZE=3D2>first reply on the assumption you simply forgot, but =
this email is</FONT>
<BR><FONT SIZE=3D2>missing it too.&nbsp; It's good to have exchanges =
like these in the</FONT>
<BR><FONT SIZE=3D2>mailing-list archives, so help other people that =
might have the same</FONT>
<BR><FONT SIZE=3D2>question later.</FONT>
</P>

<P><FONT SIZE=3D2>In the last episode (Jul 03), Nick Evans said:</FONT>
<BR><FONT SIZE=3D2>&gt; actually it's like this</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; &lt;router&gt; --- &lt;switch&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</FONT>
<BR><FONT SIZE=3D2>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | &lt;- mirrored port</FONT>
<BR><FONT SIZE=3D2>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;freebsdbox&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</FONT>
<BR><FONT SIZE=3D2>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</FONT>
<BR><FONT SIZE=3D2>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp; &lt;vlan'd switch&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</FONT>
<BR><FONT SIZE=3D2>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</FONT>
<BR><FONT SIZE=3D2>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp; &lt;nfr&gt; &lt;nfr&gt; &lt;nfr&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; the nfr boxes do not have ip's so i just need =
the traffic duplicated</FONT>
<BR><FONT SIZE=3D2>&gt; (so routing is out of the question), but i =
wanted to use ipfilter to,</FONT>
<BR><FONT SIZE=3D2>&gt; get this, filter the traffic so not all the =
ida's see all the</FONT>
<BR><FONT SIZE=3D2>&gt; traffic. the simply cannot handle 600Mbits =
each... my plan is to put</FONT>
<BR><FONT SIZE=3D2>&gt; a gig interface, or two, into the BSD box and =
several dualport server</FONT>
<BR><FONT SIZE=3D2>&gt; adaptors and then segment that traffic down. =
bridging might work, but</FONT>
<BR><FONT SIZE=3D2>&gt; i do not know how to bind certain interfaces =
together in FreeBSD,</FONT>
<BR><FONT SIZE=3D2>&gt; OpenBSD, yes, but not Free...</FONT>
</P>

<P><FONT SIZE=3D2>Aahh.&nbsp; An nfr is a sniffer.&nbsp; I assumed that =
you were load-balancing web</FONT>
<BR><FONT SIZE=3D2>servers or something, which was confising me a bit =
since you don't want</FONT>
<BR><FONT SIZE=3D2>to use mirroring for this.&nbsp; For your purposes, =
mirroring is perfect.</FONT>
</P>

<P><FONT SIZE=3D2>I think enabling bridging, and then using ipfilter or =
ipfw to only</FONT>
<BR><FONT SIZE=3D2>allow (say) 1/3 of the Net addresses to each server =
(assuming you have</FONT>
<BR><FONT SIZE=3D2>3 nfr's), would do what you want.&nbsp; I wonder if =
NFR will take advantage</FONT>
<BR><FONT SIZE=3D2>of multiple CPUs in a single box.&nbsp; That way you =
don't have to worry</FONT>
<BR><FONT SIZE=3D2>about any of this.</FONT>
</P>

<P><FONT SIZE=3D2>In the last episode (Jul 03), Nick Evans said:</FONT>
<BR><FONT SIZE=3D2>&gt; actually a better question would have been, do =
you know if you can</FONT>
<BR><FONT SIZE=3D2>&gt; bridge multiple interfaces to one other =
interface lik 4 100mbit nics</FONT>
<BR><FONT SIZE=3D2>&gt; to one gigabit nic?</FONT>
</P>

<P><FONT SIZE=3D2>I assume so.&nbsp; The bridge manpage mentions the =
inability to selectively</FONT>
<BR><FONT SIZE=3D2>bridge certain interfaces, so the default must be to =
bridge all</FONT>
<BR><FONT SIZE=3D2>ethernet interfaces.&nbsp; You can probably add some =
filtering rules to make</FONT>
<BR><FONT SIZE=3D2>sure you don't re-transmit packets out of your =
gigabit NICs.</FONT>
</P>

<P><FONT SIZE=3D2>-- </FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>Dan =
Nelson</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>dnelson@emsphone.com</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01BFE56E.C75F7B70--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?712384017032D411AD7B0001023D799B07C93C>