[OpenIndiana-discuss] Configuring span ports on oi151

James Carlson carlsonj at workingcode.com
Mon Oct 24 17:08:27 UTC 2011 

carlopmart wrote:
> On 10/24/2011 06:13 PM, James Carlson wrote:
>> carlopmart wrote:
>>>   Is it possible to configure a bridge (with n physical nics) with a
>>> span
>>> port like for example FreeBSD does??
>>
>> No, mirror port functionality does not exist.
>>
>> If you intend to use snoop / tcpdump / wireshark on the span port, then
>> just use the existing monitoring facility.  A bridge created with dladm
>> will have an observability node, based on the bridge name.  If you
>> create a bridge named "foo", then you can snoop on "foo0" and see all of
>> the packets processed by the bridge.
>>
>> If you're using the span port for some other purpose, then the feature
>> will probably have to be added to the code.  It's not present in the
>> current code because the observability node covered the known uses of
>> that sort of port without extra complications.
>>
> 
> Thanks James. I need to sniff traffic on this bridge, but using it as
> port mirror or span port. For example, if I create a bridge with bge0,
> bge1, and bge2, I need to "see" all traffic that cross these interfaces,
> not only, for example, bge0 ... That's the problem.

I'm a little confused, because that's exactly what the existing
observability mechanism is for.  If you use that existing node (named
after the bridge), you'll see all of the traffic processed by the
bridge, regardless of the port on which it was received.  It's a solved
problem.

You didn't say how you're sniffing traffic.  If you mean that you must
use an _external_ network monitoring device to do this, then the
existing built-in mechanism obviously won't be sufficient.  That'd be a
fair reason to add a port mode flag that disables the normal MAC
filtering, though it's a little unclear why an external device would be
required or desired.

In any event, if you're interested in looking into this, the source for
the driver itself is in usr/src/uts/common/io/bridge.c.  The necessary
change, I think, might be to make bridge_forward() treat those "monitor"
links as special, or to look for the calls to mac_rx() (the existing
observability hooks) and insert special handling there.

-- 
James Carlson         42.703N 71.076W         <carlsonj at workingcode.com>

More information about the OpenIndiana-discuss mailing list