Creating span port using netgraph
Frank
frank at deze.org
Sat Jan 28 11:52:12 PST 2006
Hi,
I'm trying to setup a "span" Interface for using with snort. Basically,
the span interface should receive a copy of all IP packets seen on my
real network interfaces, with the purpose that snort can snoop this
interface.
After reading the manuals, and searching the Internet I came up with the
following script:
#!/bin/sh
# load ng_ether to get ethernet interfaces
if ! kldstat -v | grep ng_ether > /dev/null 2>&1; then
kldload ng_ether
fi
# create ngeth0 and bind xl0, xl1, xl2 and xl3 to it
ngctl mkpeer . eiface hook ether
ngctl mkpeer ngeth0: one2many lower one
ngctl connect xl0: ngeth0:lower lower many0
ngctl connect xl1: ngeth0:lower lower many1
ngctl connect xl2: ngeth0:lower lower many2
ngctl connect xl3: ngeth0:lower lower many3
# bring up ngeth0 for sniffing duties
ifconfig ngeth0 monitor up
After I run this script, all network connections freeze and I lost all
IP connectvity. If I tcpdup on any inteface (xl? or ngeth0) no traffic
is visible.
Maybe I'm overlooking the obvious, but I do not understand why it does
not work....
Any help is appreciated! I'm using FreeBSD 6-STABLE.
Regards,
Frank
More information about the freebsd-net
mailing list