SO only sees broadcast and multicast traffic
382 views
Skip to first unread message
Cyrus Bulsara
Jul 8, 2017, 11:34:02 AM7/8/17
to security-onion
Hello,
Problem: SO only sees broadcast and multicast traffic on my monitored interface.
Testing: The monitored interface is a span port configured in pfsense to copy LAN traffic. I validated that it is accurately copying frames by taking pcap at the secure gateway (pfsense) and the host OS (Linux Mint Serena running Workstation Pro 12.5, see background below). SO-STAT indicates no problems.
Background: I am attempting to build a lab environment using a number of guest VMs running on VMWare Workstation Pro 12.5 hosted on Linux Mint Serena. A pfsense VM serves as a secure gateway for multiple guest VMs on a host-only virtual network (VMNET2). A span port is configured on pfsense to copy all LAN frames to a separate host-only virtual network interface (VMNET3). SO is configured with 1 management interface (ETH0, NAT virtual network), and 1 monitored interface (ETH1, VMNET3, the SPAN port that copies traffic from VMNET2). VMNET3 is set to promiscuous mode in the host OS.
I see broadcast and multicast traffic in ELSA and when taking pcap in wireshark and tcpdump from SO, but nothing else. I have tested this with traffic that terminates within the LAN, at the firewall, and external SSH and HTTP/S with the same result. I only see ARP, SSDP, MDNS etc. When I take pcap at the firewall and in the host OS, I see everything that I should see.
How can I get SO to see all of the traffic on the SPAN port that I'm seeing at the gateway and on the host OS?
Sorry for the long-winded explanation. Any help is greatly appreciated.
Problem: SO only sees broadcast and multicast traffic on my monitored interface.
Testing: The monitored interface is a span port configured in pfsense to copy LAN traffic. I validated that it is accurately copying frames by taking pcap at the secure gateway (pfsense) and the host OS (Linux Mint Serena running Workstation Pro 12.5, see background below). SO-STAT indicates no problems.
Background: I am attempting to build a lab environment using a number of guest VMs running on VMWare Workstation Pro 12.5 hosted on Linux Mint Serena. A pfsense VM serves as a secure gateway for multiple guest VMs on a host-only virtual network (VMNET2). A span port is configured on pfsense to copy all LAN frames to a separate host-only virtual network interface (VMNET3). SO is configured with 1 management interface (ETH0, NAT virtual network), and 1 monitored interface (ETH1, VMNET3, the SPAN port that copies traffic from VMNET2). VMNET3 is set to promiscuous mode in the host OS.
I see broadcast and multicast traffic in ELSA and when taking pcap in wireshark and tcpdump from SO, but nothing else. I have tested this with traffic that terminates within the LAN, at the firewall, and external SSH and HTTP/S with the same result. I only see ARP, SSDP, MDNS etc. When I take pcap at the firewall and in the host OS, I see everything that I should see.
How can I get SO to see all of the traffic on the SPAN port that I'm seeing at the gateway and on the host OS?
Sorry for the long-winded explanation. Any help is greatly appreciated.
Ian Brown
Jul 8, 2017, 11:50:38 AM7/8/17
to securit...@googlegroups.com
All I had to do was read the subject to know you were using VM's. The
problem is almost certainly with VMWare Workstation Pro 12.5.
I had similar issues using Xenserver and the workaround was amazingly
complex.
I don't have Workstation for linux, so I can't be more helpful, but for
Xenserver I had to enable promiscuous mode for the interface assigned to
the guest at the host-- sadly the option in the gui didn't work and the
command line fix at xenserver server host needs to be ran any time the
guest reboots. :(
I assume you've got the guest set up to use "bridged mode" with a host's
interface so it is likely you need to enable promiscuous mode on that
bridged interface. run ifconfig on the linux host and see if there are
any new bridged interfaces running. If you find one, run:
ifconfig <interface that you found> promisc
problem is almost certainly with VMWare Workstation Pro 12.5.
I had similar issues using Xenserver and the workaround was amazingly
complex.
I don't have Workstation for linux, so I can't be more helpful, but for
Xenserver I had to enable promiscuous mode for the interface assigned to
the guest at the host-- sadly the option in the gui didn't work and the
command line fix at xenserver server host needs to be ran any time the
guest reboots. :(
I assume you've got the guest set up to use "bridged mode" with a host's
interface so it is likely you need to enable promiscuous mode on that
bridged interface. run ifconfig on the linux host and see if there are
any new bridged interfaces running. If you find one, run:
ifconfig <interface that you found> promisc
Cyrus Bulsara
Jul 9, 2017, 12:51:33 AM7/9/17
to security-onion
Thank you for taking the time to reply. Glad I'm not the only one. Unfortunately, enabling promiscuous mode on both the LAN interface (VMNET2) and the SPAN (VMNET3) doesn't fix things.
Ian Brown
Jul 9, 2017, 1:01:26 AM7/9/17
to securit...@googlegroups.com
Well, my point is that your problem is with your VM solution, not
security-onion. You'll need to investigate how to get promiscuous
working correctly with vmware in a linux environment.
For instance a quick Google for vmware linux promiscuous brought up
these links:
https://www.vmware.com/support/ws55/doc/ws_net_advanced_linux_vadapter_promiscuous.html
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=287
security-onion. You'll need to investigate how to get promiscuous
working correctly with vmware in a linux environment.
For instance a quick Google for vmware linux promiscuous brought up
these links:
https://www.vmware.com/support/ws55/doc/ws_net_advanced_linux_vadapter_promiscuous.html
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=287
Reply all
Reply to author
Forward
0 new messages