preferred ifconfig for pure traffic analysis/IDS?

[gardner]

I am on 11.4R amd64. I have a hardware NIC (fxp0) that I want to do pure traffic analysis on using snort, tcpdump or the equivalent. It is physically connected to my switch on a port that will be configured to mirror other ports from time to time. But I do not want this interface to ever be a real IP interface. I've found that the interface must be "up" to receive anything, but it seems that if I don't configure an IP address, it only sees ethernet broadcast/multicast, which seems weird. I have configured:

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
        ether 00:90:27:aa:aa:aa
        hwaddr 00:90:27:aa:aa:aa
        inet 0.0.0.0 netmask 0xff000000 broadcast 0.255.255.240
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

This works as expected and can gather the traffic I expect to be able to see and analyse. Is using IPv4 address 0.0.0.0 a sensible choice? Is there a preferred ifconfig arrangement for this purpose?

 

[eldaemon]

Try promisc, at least that's what you would use on Linux.

 

[SirDice]

I've found that the interface must be "up" to receive anything, but it seems that if I don't configure an IP address, it only sees ethernet broadcast/multicast, which seems weird.

That's how switches work. It will only ever put traffic on that port that's actually destined for the attached MAC address and multicast/broadcasts. It has nothing to do with the settings on FreeBSD. Managed switches allow you to configure a 'mirror' or monitor port, that's a specific switch configuration that will duplicate all traffic on the switch to that port.

Port mirroring - Wikipedia

en.wikipedia.org

 

[gardner]

I have settled on
ifconfig fxp0 monitor promisc

promisc is not essential, since the analysis programs would put the NIC in promiscuous anyhow, but "monitor" is exactly what I want -- it is expressly designed for this application.

 

[gardner]

That's how switches work

Well, obviously -- I did already say I was using port mirroring on my switch. The thing I found weird was that simply configuring the NIC "up" and promiscuous via tcpdump wasn't enough to receive the non-broadcast traffic at that port. "monitor" works fine though, and is designed for the job.

 

[gardner]

Okay, I have been dinking with netgraph(4) and ng_netflow(4) according to the very useful writeup on nfdump by woodsb02.

I have found that if I configure the monitor interface with ifconfig monitor, that the frames are discarded before being passed to netgraph and therefore I can't use "monitor". I believe I can build a netgraph configuration that explicitly discards the network traffic, after generating the netflow data, but I am unclear on how to do this. If anyone has pointers on this, I'd be grateful. Currently I have:

ngctl -f- <<-DONE
        mkpeer fxp0: netflow lower iface0
        name fxp0:lower netflow
        connect fxp0: netflow: upper out0
        mkpeer netflow: ksocket export inet/dgram/udp
        msg netflow:export connect inet/127.0.0.1:4444
        msg netflow:setconfig {iface=0 conf=7}
DONE

I am a total newby on netgraph, so any pointers would be welcome. Thanks.