I don't know if this is a bug or drastically changed functionality regarding 802.1q tags.
Something in if_bridge (or some other part of the packet processing) seem to have changed between FreeBSD 6.4 and 7.3. Vlan tags are no longer stripped off!
Scenario:
I create a bridge0 interface on a FreeBSD 6.4 machine using one or multiple parent NICs. Then I sniff traffic on this cloned NIC.
There are two results:
* multiple NICs are bonded together and can be easily sniffed on ONE interface
* the sniffer will always receive plain ethernet frames without any 802.1q vlan tags
If I sniff directly on the parent NIC(s), I see vlan-tagged packets and ordinary untagged packets in a mix, which is bad.
In essence, creating the bridge0 NIC solve the problem where a mirrored SYN packet might be untagged while the SYN-ACK in the other direction is tagged (HP switches usually mirror traffic this awkward way).
If I run tcpdump with the bpf filter 'tcp', it will only match the SYN and not the SYN-ACK, since 'tcp' implies an IP in an ordinary ethernet frame, while the SYNACK is a VLAN-frame.
In order to filter out the SYN-ACK, I need the bpf filter 'vlan and tcp', but then I loose the SYN packet. ...catch 22... :\
By pointing tcpdump towards the bridge0 NIC, the filter 'tcp' will show both directions of the connection (SYN and SYN-ACK).
Now, the problem is that FreeBSD 7.3 (and possibly earlier versions, haven't tried them) don't behave the same as v6.4.
With the same configuration, tcpdump now receive vlan-tagged frames on bridge0 where I expect 100% untagged packets.
Configuration to create the vlan-tag-free sniffer NIC "mon0":
Notes:
bge1 is connected to a SPAN port on a HP switch. I disable arp as a security measure.
I rename bridge0 to mon0 for human readability. I disable all kinds of learning on the bridge since it should never in fact forward any traffic.
Finally I run the cloned NIC in monitor mode to drop all packets directly after the bpf stage.
Do you know how to fix this the way it used to work?
...or some other way to simply strip off the 802.1q tag on incoming traffic (leaving untagged packets untouched)... The lesser performance impact the better.
Something in if_bridge (or some other part of the packet processing) seem to have changed between FreeBSD 6.4 and 7.3. Vlan tags are no longer stripped off!
Scenario:
I create a bridge0 interface on a FreeBSD 6.4 machine using one or multiple parent NICs. Then I sniff traffic on this cloned NIC.
There are two results:
* multiple NICs are bonded together and can be easily sniffed on ONE interface
* the sniffer will always receive plain ethernet frames without any 802.1q vlan tags
If I sniff directly on the parent NIC(s), I see vlan-tagged packets and ordinary untagged packets in a mix, which is bad.
In essence, creating the bridge0 NIC solve the problem where a mirrored SYN packet might be untagged while the SYN-ACK in the other direction is tagged (HP switches usually mirror traffic this awkward way).
If I run tcpdump with the bpf filter 'tcp', it will only match the SYN and not the SYN-ACK, since 'tcp' implies an IP in an ordinary ethernet frame, while the SYNACK is a VLAN-frame.
In order to filter out the SYN-ACK, I need the bpf filter 'vlan and tcp', but then I loose the SYN packet. ...catch 22... :\
By pointing tcpdump towards the bridge0 NIC, the filter 'tcp' will show both directions of the connection (SYN and SYN-ACK).
Now, the problem is that FreeBSD 7.3 (and possibly earlier versions, haven't tried them) don't behave the same as v6.4.
With the same configuration, tcpdump now receive vlan-tagged frames on bridge0 where I expect 100% untagged packets.
Configuration to create the vlan-tag-free sniffer NIC "mon0":
Code:
ifconfig_bge1="up -arp"
cloned_interfaces="bridge0"
ifconfig_bridge0="up addm bge1 -discover bge1 -learn bge1 private bge1 \
maxaddr 1 -arp monitor name mon0"bge1 is connected to a SPAN port on a HP switch. I disable arp as a security measure.
I rename bridge0 to mon0 for human readability. I disable all kinds of learning on the bridge since it should never in fact forward any traffic.
Finally I run the cloned NIC in monitor mode to drop all packets directly after the bpf stage.
Do you know how to fix this the way it used to work?
...or some other way to simply strip off the 802.1q tag on incoming traffic (leaving untagged packets untouched)... The lesser performance impact the better.
