[Bridge] Mirroring an interface to an other by using bridge ?
Rein van Koten
rein at vankoten.com
Thu Mar 25 09:06:33 PST 2004
Currently i'm redesigning an intrusion detection system based on Snort / Li=
nux (in this case Fedora Core 1).
Datastream is tapped physically by means of single-mode fiber taps from a d=
ual path link between router pairs.
By using intel single mode fiber cards and bundling the four tapped streams=
to one virtual interface with the intel drivers i recreate a virtual mirro=
r of the uplinks we are sampling. Works like a charm.
However, the created datastream is needed for other measurements as well. W=
hat I would like to do is to create a mirror port from the reassembled stre=
Normally you woud have one or more mirror ports on a switch/router but in t=
his case the stream is only complete on the linux box.....
Also, as it is not a real stream a 100mb hub cannot be used as fanout (and =
this only as long as the aggregated load is below 100MB and is not a pure f=
or ids use)
Looking for a solution to this I dug into ebtables / bridging and divert me=
chanisms currently available in the linux kernels.
But I did not find a reference to a real mirror solution. Maybe I'm looking=
in the wrong place.
Looking at the functionality I think I need, it looks like the bridge modul=
e is my closest bet.
If the bridge forwards everything without keeping mac tables or sending/rec=
eiving arp messages I'm in business.....
So, my question:
Is it possible to adapt the bridge code so it:
- copies all incoming traffic from one interface (in promisc mode) to an ot=
her, regardless of mac address etc
- does not do any sending itself (no proxyarp, arp, broadcasts etc)
- prefferably works one way (a mirror should be read only)?
- This as low as can be in the kernel (so not all the way up to ip/eb table=
s or high in userspace)
In fact this looks like the bridge module without all the more refined stuf=
f (keeping tables, proxying etc)
Example with the envisioned version of bridge module and brctl:
# sniffing / ids on eth1, want to copy all traffic to eth2 for others to us=
e without needing access to the IDS environment.
# setup bridge
brctl addbr <bridgename>
brctl addif eth1
brctl addif eth2
# set bridge type to copy thus creating a mirror port
brctl mode <bridgename> copy
# set the copy direction from eth1 to eth2 (can only be in one direction)
brctl setcopy <bridgename> in eth1
brctl setcopy <bridgename> out eth2
mode command has options copy or bridge
setcopy out provide the option to copy several interfaces' incoming data to=
a single (or even multiple?) interfaces.
currently I only see a solution like bridging, ebtables/divert replacing in=
coming macs with the mac of the sniffer attached to my semi mirror interfac=
e, blocking all arp traffic and this only works probably if you know all th=
e mac addresses on the link you are sampling (in my case I do because it's =
the four mac addresses of the upstream and downstream routers). =
Also, possible trouble comes from :
- I'm not sure that tools like divert etc work on a virutal interface l=
ike the one created when you bundle interfaces.
- i/o speed, kernel resources etc
I saw that I at least had to hack the divert.o code to remove the check on =
interface names starting with "eth" as the intel drivers do not allow a vir=
utal interface with a name like eth9...
I would appreciate your opinion on this or whether you know someone working=
along the same lines...
I myself am not C savvy enough to rewrite the bridge module without additio=
nal input on this idea.
And then again, maybe it already exists.
Rein van Koten
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bridge