[OpenIndiana-discuss] Configuring span ports on oi151

carlopmart carlopmart at gmail.com
Mon Oct 24 17:47:20 UTC 2011


On 10/24/2011 07:08 PM, James Carlson wrote:
> carlopmart wrote:
>> On 10/24/2011 06:13 PM, James Carlson wrote:
>>> carlopmart wrote:
>>>>    Is it possible to configure a bridge (with n physical nics) with a
>>>> span
>>>> port like for example FreeBSD does??
>>>
>>> No, mirror port functionality does not exist.
>>>
>>> If you intend to use snoop / tcpdump / wireshark on the span port, then
>>> just use the existing monitoring facility.  A bridge created with dladm
>>> will have an observability node, based on the bridge name.  If you
>>> create a bridge named "foo", then you can snoop on "foo0" and see all of
>>> the packets processed by the bridge.
>>>
>>> If you're using the span port for some other purpose, then the feature
>>> will probably have to be added to the code.  It's not present in the
>>> current code because the observability node covered the known uses of
>>> that sort of port without extra complications.
>>>
>>
>> Thanks James. I need to sniff traffic on this bridge, but using it as
>> port mirror or span port. For example, if I create a bridge with bge0,
>> bge1, and bge2, I need to "see" all traffic that cross these interfaces,
>> not only, for example, bge0 ... That's the problem.
>
> I'm a little confused, because that's exactly what the existing
> observability mechanism is for.  If you use that existing node (named
> after the bridge), you'll see all of the traffic processed by the
> bridge, regardless of the port on which it was received.  It's a solved
> problem.
>
> You didn't say how you're sniffing traffic.  If you mean that you must
> use an _external_ network monitoring device to do this, then the
> existing built-in mechanism obviously won't be sufficient.  That'd be a
> fair reason to add a port mode flag that disables the normal MAC
> filtering, though it's a little unclear why an external device would be
> required or desired.
>

Sorry James, for not being properly explained. But yes, I need to use an 
external monitoring device. I use an external server with a different 
IDS/IPS sensors to process certain type of traffic. For example: exists 
one Snort sensor to monitor ftp, smtp, tcp anomalies, etc. Another 
Bro-IDS sensor to process ssl traffic. And another suricata sensor to 
process http traffic only. All these three sensors are installed in one 
server.

And it is a lab. not a production system ...


-- 
CL Martinez
carlopmart {at} gmail {d0t} com



More information about the OpenIndiana-discuss mailing list