On 10/24/2011 07:08 PM, James Carlson wrote:
carlopmart wrote:
On 10/24/2011 06:13 PM, James Carlson wrote:
carlopmart wrote:
Is it possible to configure a bridge (with n physical nics) with a
span
port like for example FreeBSD does??
No, mirror port functionality does not exist.
If you intend to use snoop / tcpdump / wireshark on the span port, then
just use the existing monitoring facility. A bridge created with dladm
will have an observability node, based on the bridge name. If you
create a bridge named "foo", then you can snoop on "foo0" and see all of
the packets processed by the bridge.
If you're using the span port for some other purpose, then the feature
will probably have to be added to the code. It's not present in the
current code because the observability node covered the known uses of
that sort of port without extra complications.
Thanks James. I need to sniff traffic on this bridge, but using it as
port mirror or span port. For example, if I create a bridge with bge0,
bge1, and bge2, I need to "see" all traffic that cross these interfaces,
not only, for example, bge0 ... That's the problem.
I'm a little confused, because that's exactly what the existing
observability mechanism is for. If you use that existing node (named
after the bridge), you'll see all of the traffic processed by the
bridge, regardless of the port on which it was received. It's a solved
problem.
You didn't say how you're sniffing traffic. If you mean that you must
use an _external_ network monitoring device to do this, then the
existing built-in mechanism obviously won't be sufficient. That'd be a
fair reason to add a port mode flag that disables the normal MAC
filtering, though it's a little unclear why an external device would be
required or desired.
Sorry James, for not being properly explained. But yes, I need to use an
external monitoring device. I use an external server with a different
IDS/IPS sensors to process certain type of traffic. For example: exists
one Snort sensor to monitor ftp, smtp, tcp anomalies, etc. Another
Bro-IDS sensor to process ssl traffic. And another suricata sensor to
process http traffic only. All these three sensors are installed in one
server.
And it is a lab. not a production system ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
