Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Jan 2004 20:45:08 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Scott Renna <srenna@vdbmusic.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: problem with 2 nics in same box
Message-ID:  <20040103204508.GB9278@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <000201c3d238$070d2790$0201a8c0@mars>
References:  <3FF6FB80.2080807@cream.org> <000201c3d238$070d2790$0201a8c0@mars>

next in thread | previous in thread | raw e-mail | index | archive | help

--5I6of5zJg18YgZEa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 03, 2004 at 03:27:33PM -0500, Scott Renna wrote:
> I am using Snort and a few other tools to decide which I'd like best.
> Here's the thing about Lowell's comment on Bridging.  Is this necessary
> in this case?  I don't want the interface without an IP to EVER transmit
> outbound.  If I Need to enable bridging I'll do so.  The other thing is,
> is it possible to configure each card to be on a different subnet(like
> xl1 on 10.X.X.X and xl0 on 192.X.X.X)?

Sounds like you want to put the interface into 'monitor' mode -- see
ifconfig(8).  If all you want to do on this box is sniff traffic on
your network, that should be sufficient, although you will have to
configure your switches to pump out a copy of each packet they deal
with to the port your box is connected to.  It takes quite a
sophisticated switch to actually have that capability.

I'm not sure if you even need to specify an address for the card when
used in this way: I think it should just pick up any traffic it sees.
There's no problem with having multiple interfaces on sniffing on
multiple networks, or even having the traffic from several networks
all directed to the same interface for sniffing. =20

An alternative way of doing this, which is what I presume Lowell was
on about, is to make the sniffing box a bridge between two network
segments.  In this case, you can't use the ifconfig monitor stuff as
the machine will have to forward packets between it's interfaces, and
the machine will have to have one IP number on that network, so it
can't be invisible.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--5I6of5zJg18YgZEa
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQE/9ynUdtESqEQa7a0RAj/QAJ9oLQMc/L0IeEDU7DVeYviQMtdAtwCcDE3Y
lDOd4sdaimGBDhCkRS4Ctpw=
=/Eg6
-----END PGP SIGNATURE-----

--5I6of5zJg18YgZEa--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040103204508.GB9278>