RE: port bonding and taps

From: Bradberry, John (
Date: 10/02/03

  • Next message: cheong frank: "Re: Network hardware IPS"
    Date: Thu, 2 Oct 2003 14:31:58 -0500
    To: "John Flynn" <>, <>


    I've found the channel-bonding method to be very useful on Linux based
    systems. On a RH 9 system, documentation is provided in the file
    "bonding.txt". On my system running a 2.4.20-8 kernel, it is found


    For FreeBSD based systems, the Netgraph Fast Ether-Channel kernel module
    (ng_fec.ko) can be used to aggregate traffic from multiple physical
    interfaces onto a "virtual" pseudo interface. We use this method to
    rebuild full-duplex connections from the half-duplex data streams
    generated by an Ethernet tap. A single process [tcpdump, snort, etc.]
    may be used to capture packets from the pseudo interface.

    Jerry Lundy of The Greentree Group researched the Netgraph system and
    compiled this documentation for using the ng_fec.ko module on a FreeBSD

    [1] Fetch the latest kernel sources [we're using RELENG_4_9]. Add this
    line to your kernel config and build a new kernel:

    options NETGRAPH

    [2] Build the ng_fec module:

    # cd /usr/src/sys/modules/netgraph/fec/
    # make && make install

    [3] Load the module:

    # kldload /usr/src/sys/modules/netgraph/fec/ng_fec.ko

    You can confirm that the ng_fec.ko module is loaded by using the kldstat
    command. You should see something very similar to this:
    # kldstat
    Id Refs Address Size Name
     1 4 0xc0100000 400f44 kernel
     3 3 0xc518e000 9000 netgraph.ko
     4 1 0xc518a000 3000 ng_socket.ko
     5 1 0xc519d000 3000 ng_fec.ko

    [4] Create one or more psuedo fec interfaces:

    # ngctl mkpeer fec dummy fec

    This step will create a fec0 device. Check it with ifconfig -a. Other
    pseudo interfaces, fec1, fec2, fec3, etc., can be created using the same

    [5] Bind physical interfaces to the pseudo devices. In this example,
    we've got 2 pseudo devices [fec], and 8 physical interfaces [dc]. Our
    site uses quad-port AEI P430TX interfaces. Be careful to include the
    single + double quotes just like the example:

    # ngctl msg fec0: add_iface '"dc0"'
    # ngctl msg fec0: add_iface '"dc1"'
    # ngctl msg fec0: add_iface '"dc2"'
    # ngctl msg fec0: add_iface '"dc3"'
    # ngctl msg fec1: add_iface '"dc4"'
    # ngctl msg fec1: add_iface '"dc5"'
    # ngctl msg fec1: add_iface '"dc6"'
    # ngctl msg fec1: add_iface '"dc7"'

    [6] Set the capture mode for each pseudo interface. You may wish to
    experiment with the mode type:

    # ngctl msg fec0: set_mode_inet
    # ngctl msg fec0: set_mode_mac
    # ngctl msg fec0: set_mode_inet6

    [7] Set all physical and pseudo interfaces to promiscuous mode.

    # ifconfig INTERFACE_NAME promisc

    [8] Bring up the pseudo device[s] and try it!

    # ifconfig fec0 up
    # ifconfig fec1 up

    You should be able to run tcpdump -n -i fec0 and see the aggregate

    We use a shell script to create and configure the pseudo devices at
    startup. If you would like to a copy of the script, contact me.

    Best regards.

    John Bradberry
    The Greentree Group

    -----Original Message-----
    From: John Flynn []
    Sent: Wednesday, October 01, 2003 1:54 PM
    Subject: port bonding and taps

    Hi all,

    I'm trying to set up various snort boxes, both on fiber and copper taps.
    In order to reconstruct both sides of the stream I understand that one
    needs to use multiple cards since the tap outputs the tx and rx on
    separate channels. The problem is that to make snort alert correctly one
    really has to aggregate the directions. This is commonly done using a
    spanning port, but we do not have enough of those at our facility to go
    around. In linux (and in general) it seems this idea is called port
    bonding. There is a bonding kernel module for linux and appropriate
    commands for setting this up (ifenslave etc), but it seems to be very
    poorly documented. I have tried to set up bonding multiple times and
    could not seem to get it to work. Does anyone have good documentation on
    how to do this type of set up, or perhaps a better way to do snort+taps
    without using a spanning port?
    John Flynn

    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo

  • Next message: cheong frank: "Re: Network hardware IPS"