Fibre Cards not assigned/claimed correctly
Nathan D'Elboux
Prior to using Sec onion i had an ubunu 14.04 system with a fibre card installed which had 2 10GB SFP interfaces installed. The fibre was split across both SFP's which had the naming convention P1P1 and P1P2 for the first card which represented 2 SFP's in the same physical fibre card. Then i used bridge-utils to create br0 which had p1p1 and p1p2 as members.
This ensured i had both streams RX & TX captured and Bro and all monitoring was performed on br0 and things worked fine.
due to requirements change i decided to migrate to Security onion but i can only get one of the SFP's to be recognised and allocated as a monitoring interface. Thus only monitoring one stream.
running lshw i can see the fibre card with the below output
*-pci:3
description: PCI bridge
product: 7500/5520/5500/X58 I/O Hub PCI Express Root Port 9
vendor: Intel Corporation
physical id: 9
bus info: pci@0000:00:09.0
version: 13
width: 32 bits
clock: 33MHz
capabilities: pci msi pciexpress pm normal_decode bus_master cap_list
configuration: driver=pcieport
resources: irq:28 ioport:e000(size=4096) memory:c0000000-c05fffff
*-network:0 UNCLAIMED
description: Ethernet controller
product: 82599ES 10-Gigabit SFI/SFP+ Network Connection
vendor: Intel Corporation
physical id: 0
bus info: pci@0000:05:00.0
version: 01
width: 64 bits
clock: 33MHz
capabilities: pm msi msix pciexpress vpd cap_list
configuration: latency=0
resources: memory:c0000000-c007ffff ioport:ecc0(size=32) memory:c0180000-c0183fff memory:c0080000-c00fffff memory:c0184000-c0283fff memory:c0284000-c0383fff
*-network:1
description: Ethernet interface
product: 82599ES 10-Gigabit SFI/SFP+ Network Connection
vendor: Intel Corporation
physical id: 0.1
bus info: pci@0000:05:00.1
logical name: eth7
version: 01
serial: 90:e2:ba:69:70:29
capacity: 1Gbit/s
width: 64 bits
clock: 33MHz
capabilities: pm msi msix pciexpress vpd bus_master cap_list ethernet physical fibre 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=ixgbe driverversion=4.2.1-k duplex=full firmware=0x61ae0001 latency=0 link=yes multicast=yes port=fibre promiscuous=yes
resources: irq:34 memory:c0100000-c017ffff ioport:ece0(size=32) memory:c0384000-c0387fff memory:c0388000-c0487fff memory:c0488000-c0587fff
As you can see with -network:0 it is UNCLAIMED. Where as Network:1 is and in use. I havent changed any settings this is out of the box install. Usually the kernel takes care of the allocation of interface names etc and since one of the two is registered it seems the drivers dont seem to be the problem.
Can anyone assist me on ideas of how to claim the 2nd fibre as i only have half the visibility i wish to have on this system and when i plug the other fibre in nothing i do can get it to light up/come online.
Any help would be much appreciated.
Thanks,
Nathan
Doug Burks
Security Onion is based on Ubuntu 14.04, so in theory it should work the same.
Which version of Ubuntu 14.04 were you using? And which kernel version?
Are you using the latest version of Security Onion with the latest
kernel version?
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Nathan D'Elboux
Thanks for your reply, yes your correct it turned out to be a faulty 10GB SFP module. Replacing it was the issue and now interfaces are bridged and logging correctly.
Thanks