Combining ethernet devices for sniffing
Alexey Fadyushin
fab at s-tunnel.com
Fri Apr 29 11:25:37 UTC 2005
Ed Greshko wrote:
>
>
> Harry Hoffman wrote:
>
>> Hi Ed,
>>
>> There are 4 interfaces:
>>
>> eth0 -> transport
>> eth1 -> unused
>> eth2 -> sniff
>> eth3 -> sniff
>>
>> eth2,3 are plugged into a fiber tap and each card carries 1 direction
>> of the bidirectional traffic.
>>
>> I would like to combine them to form a single interface for things
>> like tcpdump, tethereal, snort, etc. I don't want eth0,1 to be a part
>> of it.
>
>
> I see.... Well, I guess I can't help you much. I normally use the
> tcpdump and ethereal with "any" and then filter on the nets of
> interest. For my needs it has been sufficient.
>
I think that the easiest way to look at eth2 and eth3 interfaces
simultaneously is to use tcpdump with '-i any', and filter out eth0 and
eth1 using tcpdump filter such as 'not (ether dst <MAC_addr_of _eth0> or
ether dst <MAC_addr_of _eth1>)'. You should note that when tcpdump is
capturing packets from 'any' interface it will not swich interfaces into
promiscuous mode. You will not be able to sniff packets when eth2 and
eth3 are not in that mode, because none of the packets from the fiber
tap is addressed to your interfaces. Therefore, you will need to switch
eth2 and eth3 into promiscuous mode manually: 'ifconfig eth2 promisc',
'ifconfig eth3 promisc'.
Alexey Fadyushin
Brainbench MVP for Linux
http://www.brainbench.com
More information about the redhat-list
mailing list