On Mar 20, 2014, at 2:14 PM, Giancarlo Razzolini <grazzol...@gmail.com> wrote:
> Em 20-03-2014 17:12, Don Jackson escreveu: >> I’m attempting to monitor traffic on my LAN, I have inserted a >> non-aggregating network tap between my firewall (not openbsd) and my enet >> switch. >> I wired the two monitor ports of the network tap to two ethernet interfaces >> (em2 and em3) on an openbsd machine (running 5.3 at present), em0 on >> this machine is the regular network port. >> I’m attempting to configure pf etc. in order to facilitate monitoring and >> analyzing the traffic on my lan. >> I started with just the em2 interface and associated tap output, which >> monitors traffic from my LAN to the firewall. >> AFAICT, the interfaces I use for this monitoring need to be “UP” and in >> “PROMISC” (promiscuous) mode, correct? >> So far, the only way I know I can do that is by adding the interface to a >> bridge. Is there another/better way? > You could implement some sort of daemon that puts the interfaces in > promiscuous mode using the pcap library. Or running a tmux+tcpdump. A > bridge can also work, but it introduces complexity, especially when > filtering the packets. Based on further experiments motivated by your suggestions, I have concluded that I’ve been using the wrong tool(s) for the job. Since I’m using the OpenBSD box to just read all packets on an interface, I shouldn’t be using pf/pflog/pflow at all, I should just focus on apps like tcpdump that open the interface directly, and read what they want. Some network monitoring packages (i.e. argus) seem to have their own tcpdump-like apps for reading network interfaces. If the box in question was the router/firewall, then obviously I could/should use pf/pflog/pflow to extract the info passing through/by that I would want to monitor. Thank you for kludging me in the right direction. Don
