tcpdump mailing list archives
Re: capturing on both interfaces simultaneously
From: Glen Turner <gdt () gdt id au>
Date: Thu, 01 Dec 2011 01:15:42 +1030
On Mon, 2011-11-28 at 14:35 -0500, abhinav narain wrote:
I don't think I can use "any" interface as it might capture packets from bridge interface also !
I use bonding to re-combine traffic from the Tx and Rx of a passive
optical tap. You might be able to use the same technique. Here is an
extract from our corporate engineering workbook on this scenario.
Best wishes, Glen
PASSIVE TAPS AND TCPDUMP
The passive tap presents on two interfaces (typically ethernet, but the
same notion works for SDH, etc).
$ethX -- data received from A-end
$ethY -- data received from B-end
For tools like Wireshark or tcpdump it is convenient if those two
interfaces can be presented as one interface carrying both sets of
traffic. That is exactly what a bonded interface does when receiving
data. It just so happens that we never want to transmit over ethX or
ethY.
The great advantage of this technique over a switch in "monitor" mode is
that is allows the capture of all traffic on a duplex link, even when
one direction is (perhaps maliciously) running at capacity. It is also
very appropriate for links were additional active equipment is unwelcome
because they reduce robustness.
COMMANDS
modprobe bonding
# Turn on interfaces, max out MTU, turn off spurious transmissions
ip link set $ethX up promisc on arp off mtu 9000 dynamic off
sysctl -w net.ipv6.conf.${ethX}.autoconf=0
ip link set $ethY up promisc on arp off mtu 9000 dynamic off
sysctl -w net.ipv6.conf.${ethY}.autoconf=0
# We also want packets with bad checksums, so don't
# allow interface hardware to automatically drop those.
ethtool --offload $ethX rx off
ethtool --offload $ethY rx off
# bond0 = ethX + ethY
ip link set bond0 up promisc on arp off mtu 9000 dynamic off
sysctl -w net.ipv6.conf.bond0.autoconf=0
ifenslave bond0 $ethX $ethY
# Some software gets upset by bond0 not having a real MAC
# address, so locally assign an address (setting the U/L
# bit correctly)
ip link set bond0 address ##########
Red Hat Linux allow these commands to be issued indirectly via the
interface configuration files.in /etc/sysconfig/network-scripts/
(and then the workbook goes on the talk about RHL files, constructing
passive optical taps, recommended passive UTP taps, ...)
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: capturing on both interfaces simultaneously, (continued)
- Re: capturing on both interfaces simultaneously Guy Harris (Dec 12)
- Re: capturing on both interfaces simultaneously David Laight (Dec 12)
- Re: capturing on both interfaces simultaneously Guy Harris (Dec 12)
- Re: capturing on both interfaces simultaneously Guy Harris (Dec 12)
- Re: capturing on both interfaces simultaneously David Laight (Dec 13)
- Re: capturing on both interfaces simultaneously David Laight (Dec 13)
- Re: capturing on both interfaces simultaneously David Laight (Dec 13)
- Re: capturing on both interfaces simultaneously Guy Harris (Dec 10)
- Re: capturing on both interfaces simultaneously abhinav narain (Dec 10)
- Re: capturing on both interfaces simultaneously Guy Harris (Dec 10)