[OpenIndiana-discuss] Configuring span ports on oi151

[James Carlson]

carlopmart wrote:
> On 10/24/2011 07:08 PM, James Carlson wrote:
>> You didn't say how you're sniffing traffic.  If you mean that you must
>> use an _external_ network monitoring device to do this, then the
>> existing built-in mechanism obviously won't be sufficient.  That'd be a
>> fair reason to add a port mode flag that disables the normal MAC
>> filtering, though it's a little unclear why an external device would be
>> required or desired.
>>
> 
> Sorry James, for not being properly explained. But yes, I need to use an
> external monitoring device. I use an external server with a different
> IDS/IPS sensors to process certain type of traffic. For example: exists
> one Snort sensor to monitor ftp, smtp, tcp anomalies, etc. Another
> Bro-IDS sensor to process ssl traffic. And another suricata sensor to
> process http traffic only. All these three sensors are installed in one
> server.

I see.  One solution might be to get those "sensors" to run on the
OpenIndiana system.  Then they could take advantage of the observability
interface to grab the traffic desired.

> And it is a lab. not a production system ...

The other solutions I can think of (besides adding this feature to the
existing code or porting the applications) would be intentionally
breaking the bridge_learn() function in bridge.c so that it always
returns without updating the forwarding tables, or, alternatively, using
an external bridge that has this feature.

The latter would be extremely easy, but would cost more money.  The
former is a bit hackish, but should do the job, and would be fairly easy
to do, provided you are able to build kernel modules.

-- 
James Carlson         42.703N 71.076W         <carlsonj at workingcode.com>