[Bridge] Mirroring an interface to an other by using bridge ?

[Bridge] Mirroring an interface to an other by using bridge ?

[Rein van Koten]

[-- Attachment #1: Type: text/plain, Size: 3617 bytes --]

Hi,

Just wondering....

Currently i'm redesigning an intrusion detection system based on Snort / Linux (in this case Fedora Core 1).
Datastream is tapped physically by means of single-mode fiber taps from a dual path link between router pairs.
By using intel single mode fiber cards and bundling the four tapped streams to one virtual interface with the intel drivers i recreate a virtual mirror of the uplinks we are sampling. Works like a charm.
However, the created datastream is needed for other measurements as well. What I would like to do is to create a mirror port from the reassembled stream.
Normally you woud have one or more mirror ports on a switch/router but in this case the stream is only complete on the linux box.....
Also, as it is not a real stream a 100mb hub cannot be used as fanout (and this only as long as the aggregated load is below 100MB and is not a pure for ids use)

Looking for a solution to this I dug into ebtables / bridging and divert mechanisms currently available in the linux kernels.
But I did not find a reference to a real mirror solution. Maybe I'm looking in the wrong place.
Looking at the functionality I think I need, it looks like the bridge module is my closest bet.
If the bridge forwards everything without keeping mac tables or sending/receiving arp messages I'm in business.....

So, my question:

Is it possible to adapt the bridge code so it:
- copies all incoming traffic from one interface (in promisc mode) to an other, regardless of mac address etc
- does not do any sending itself (no proxyarp, arp, broadcasts etc)
- prefferably works one way (a mirror should be read only)?
- This as low as can be in the kernel (so not all the way up to ip/eb tables or high in userspace)
In fact this looks like the bridge module without all the more refined stuff (keeping tables, proxying etc)


Example with the envisioned version of bridge module and brctl:

# sniffing / ids on eth1, want to copy all traffic to eth2 for others to use without needing access to the IDS environment.
# setup bridge
brctl addbr <bridgename>
brctl addif eth1
brctl addif eth2
# set bridge type to copy thus creating a mirror port
brctl mode <bridgename> copy
# set the copy direction from eth1 to eth2 (can only be in one direction)
brctl setcopy <bridgename> in eth1
brctl setcopy <bridgename> out eth2
# enjoy...

so:
mode command has options copy or bridge
setcopy out provide the option to copy several interfaces' incoming data to a single (or even multiple?) interfaces.

currently I only see a solution like bridging, ebtables/divert replacing incoming macs with the mac of the sniffer attached to my semi mirror interface, blocking all arp traffic and this only works probably if you know all the mac addresses on the link you are sampling (in my case I do because it's the four mac addresses of the upstream and downstream routers). 
Also, possible trouble comes from :
    - I'm not sure that tools like divert etc work on a virutal interface like the one created when you bundle interfaces.
    - i/o speed, kernel resources etc
I saw that I at least had to hack the divert.o code to remove the check on interface names starting with "eth" as the intel drivers do not allow a virutal interface with a name like eth9...

Anyway,

I would appreciate your opinion on this or whether you know someone working along the same lines...
I myself am not C savvy enough to rewrite the bridge module without additional input on this idea.
And then again, maybe it already exists.

Regards,

Rein van Koten
The Netherlands.

[-- Attachment #2: Type: text/html, Size: 4764 bytes --]

Re: [Bridge] Mirroring an interface to an other by using bridge ?

[Bart De Schuymer]

On Thursday 25 March 2004 18:06, Rein van Koten wrote:
> Hi,
> Anyway,
>
> I would appreciate your opinion on this or whether you know someone working
> along the same lines... I myself am not C savvy enough to rewrite the
> bridge module without additional input on this idea. And then again, maybe
> it already exists.

It should be simple, removing the following code from 
br_input.c::br_handle_frame_finish() should probably be enough:
	dst = br_fdb_get(br, dest);
	if (dst != NULL && dst->is_local) {
		if (!passedup)
			br_pass_frame_up(br, skb);
		else
			kfree_skb(skb);
		br_fdb_put(dst);
		goto out;
	}

	if (dst != NULL) {
		br_forward(dst->dst, skb);
		br_fdb_put(dst);
		goto out;
	}

It would probably be interesting to have a bridge userspace tool option so 
that the bridge acts like a hub, which is basically what you want.

cheers,
Bart

[Bridge] Re: Mirroring an interface to an other by using bridge ?

[Mike Andersen]

Bart De Schuymer <bdschuym <at> pandora.be> writes:

> It would probably be interesting to have a bridge userspace tool option so 
> that the bridge acts like a hub, which is basically what you want.

Would this change do anything related to filtering traffic with iptables?  Or
will it still work?

-- 
mike

Re: [Bridge] Re: Mirroring an interface to an other by using bridge ?

[Bart De Schuymer]

On Wednesday 31 March 2004 16:39, Mike Andersen wrote:
> Bart De Schuymer <bdschuym <at> pandora.be> writes:
> > It would probably be interesting to have a bridge userspace tool option
> > so that the bridge acts like a hub, which is basically what you want.
>
> Would this change do anything related to filtering traffic with iptables? 
> Or will it still work?

Everything should keep working, why don't you try it?

Re: [Bridge] Re: Mirroring an interface to an other by using bridge ?

[Mike Andersen]

On Apr 1, 2004, at 18:18, Bart De Schuymer wrote:

> On Wednesday 31 March 2004 16:39, Mike Andersen wrote:
>> Bart De Schuymer <bdschuym <at> pandora.be> writes:
>>> It would probably be interesting to have a bridge userspace tool 
>>> option
>>> so that the bridge acts like a hub, which is basically what you want.
>>
>> Would this change do anything related to filtering traffic with 
>> iptables?
>> Or will it still work?
>
> Everything should keep working, why don't you try it?

I have now, and it works fine. The reason for asking was that I was 
struggling to understand how bridging and iptables was working together 
(and if I wasn't able to make it work, I would not know if it was me or 
this quick-fix who was causing it. ;-)


mike
-- 
"It is a lesson which all history teaches wise men, to put trust in
  ideas, and not in circumstances."            --Ralph Waldo Emerson