The hardware:
IBM X3650 M3 server
72GB RAM
RAID1 146GB for /
RAID5 ~1TB for /nsm
4 Broadcom BCM5709 interfaces
4 Intel 82580 interfaces (on an i350-T4 card).
According to Ubuntu:
eth0 - eth3 are the Broadcom NICs
eth4 - eth7 are the Intel NICs
At present:
eth0 = mgmt
eth1-eth3 are unconfigured
eth4 = capture interface.
receiving dot1q tagged traffic fed by an aggregation switch. only two vlans, let's call them 10 and 20.
eth5-eth7 are unconfigured
I built the sensor using the SO 12.04.3 iso, and then ran updates via sudo soup. I ran sosetup and had it configure eth4, and rebooted.
I doublechecked what ethtool -k had to say, and it showed rxvlan and txvlan offloading still enabled - I disabled with:
ethtool -K eth4 rxvlan off
before continuing, I wanted to make sure I was seeing what I expected:
tcpdump -nei eth4 -c 10 gives me a few packets from each vlan - as expected.
tcpdump -nei eth4 -c 10 'vlan 10' just sits and spins. setting the bpf to 'vlan 20' does as well.
So, I re-enabled rxvlan:
ethtool -K eth4 rxvlan on
and got the same results...
Going back to my FreeBSD sensor, on identical hardware - plumbed up to the same agg switch (pardon the interface naming, but igb0 = eth4 in this case).
tcpdump -nei igb0 -c 10 operates as expected and gives a few packets from each vlan
tcpdump -nei igb0 -c 10 'vlan 10' returns 10 packets from vlan 10 ONLY.
tcpdump -nei igb0 -c 10 'vlan 20' returns 10 packets from vlan 20 ONLY.
So above I document my experiences without 8021q and the two vlans added via vconfig, but I get the same results even after going through those config steps.
What really boggles is that if I do go through the vlan configs and do something like:
tcpdump -nei eth4.10 -c 10
... I get 10 unencapsulated packets from that vlan as I'd expect.
So the kernel is popping the dot1q tag as expected when I do that config work...
For hahas, I went through sosetup and wanted to see what netsniff-ng put to disk. I'm not seeing any dot1q tags there.
I'm hoping that I'm missing something ridiculously simple here. Any thoughts are greatly appreciated. I can have the aggregation switch config changed to feed untagged traffic, but I'd like to keep that as a last resort.
Any thoughts?
Thanks,
Justin
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.
So when you run tcpdump, you see vlan tags in the console output, butthere are no vlan tags in the netsniff-ng pcaps?
And netsniff-ng is recording the actual packets just fine, it's just
not recording the vlan tags?
When you put this system into production and you pivot from an IDS
alert or Bro log to pcap, do you need to be able to see the vlan tags?
Thanks, Doug. For myself, my workaround is to have things distributed to my sensor interfaces differently. This seems to be the easiest way to deal with it for now. I still see the dot1q tags, but now I don't need to worry about bpf filters to tune instances...