Bridge Port mirroring

B

blt2b

Hi,

It there a way to do port mirroring and use a destination epair (on the same bridge) ?
I would like to capture all the traffic from a specific bridge (or a couple of ports but I don't see a way to select source port on the ifconfig span command) and send to a epair as a destination where a jail with a monitoring solution is installed. This is strange to me by the way as most of the span mirroring solution gives this capability as spanning all a bridge traffic could be dangerous..but maybe I am missing something

Code: 
ifconfig bridge0 span e26a_ak
ifconfig: BRDGADDS e26a_ak: Device busy

Is there a way to do it ? Or even using another epair from another bridge, but is like only physical or tap port from the bridge are accepted.

Many thanks
 
I'm not sure to well understand your question. epair can be "spanned" to a bridge, but then this interface can't be used for any other purpose. It's the same for a physical interface.

You need one interface for sniffing and another one to communicate with the sniffer.
 
Thanks and yes I am well aware that a destination span port would not be used for communicate and there is a need for another interface for that.

My problem is that if I try to use my e26a_ak epair interface as destination for the bridge0 ifconfig span command I go a "device busy".

Is there a need to put the epair into a special mode to make it work ? For the context and as I mentioned previously, this epair is used in a jail where my sniffer is installed, where I would like send the bridge traffic to
 
I didn't try with a jail. I just created an epair interface and "spanned" it to a bridge. There is no error and ifconfig reports correctly the thing. I used to use a span interface with a bhyve VM via a tap without any problem.

So, the trouble should be in the way you create and use this epair interface. Why this name, e26a_ak? Do you use a software to manage your jails?
 
Yes I am using BastilleBSD which is creating the epair. I tried to put the interface down just to test, but got the same issue (but I don't believe it is possible to make epair down..)
Flag PROMISC is by default so it must come from something else but I can't figure it out...so my post here
 
span and port mirroring are hardware terms. For IPFW you can use selective mirroring (ngtee) and for PF you can use dup-to to create a duplicate of the packet and route it to other ip.
 
Yes and I am using this to simplify and not to confuse, in the monitoring market we also use vSPAN or virtual port mirroring but the logic is the same. So you confirm that the ifconfig span command would not work to use an epair as a destination ?
Good suggestion for PF (I am not using IPFW) but so it would not be an "exact" copy of the traffic as it would re-route it, but it is definitely an alternative I can check. I would prefer to see if there is a way to use ifconfig span native command, and I am wondering what is preventing me using that as apparently Emrion is able to do it when he creates the epair manually
 
Try to manually add the epair interface to the bridge before starting the jail.

Note: you will need 2 interfaces for the IDS jail. One for the SPAN and other for normal access/internet

epair0a - epair0b jail0 (app server)
epair1a SPAN - epair1b Jail1 (IDS)
epair2a - epair2b Jail1 (IDS) Lan traffic

Code: 
# ifconfig bridge create
bridge0
# ifconfig epair create
epair0a
# ifconfig epair create
epair1a
# ifconfig -g epair
epair0b
epair0a
epair1b
epair1a
# ifconfig bridge0 addm epair0a
# ifconfig bridge0 span epair1a
# ifconfig bridge0
bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=0
        ether 58:9c:fc:10:ff:ef
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
        member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 2000
        member: epair1a flags=8<SPAN>
                ifmaxaddr 0 port 6 priority 128 path cost 2000
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>

 
Thanks ! I understand now my issue..
I am using e26a_ak where the b side (e26b_ak) is already "pushed" to a jail before issuing the ifconfig span command.

if I create the epair, do the span command and then launch the jail with the b side I don't have the issue anymore!

The only remaining issue, is that I don't see any traffic on the a side or on the b side (inside my jail) using tcpdump
 
You must log in or register to reply here.
Back
Top