Creating Fake Interfaces and Bonding Them

In June I posted a way to bond two FreeBSD interfaces to a third unused interface for purposes of combining tap outputs and sniffing the result. This method used ng_one2many and was based on advice from Andrew Fleming. In July I corresponded with John Bradberry who shared his method of using ng_fec, the man-page-less Fast Ether Channel netgraph(4) module.

Two months ago John posted his method, which looks like the email he sent me in July. I finally got a chance to try it, and can report that it works. Here's what's required on a stock FreeBSD 4.9 REL system where sf2 and sf3 see the tap outputs. First, build the ng_fec kernel module:

cd /usr/src/sys/modules/netgraph/fec
make
make install

Next, create the virtual fec0 interface which will see traffic from sf2 and sf3 simultaneously. Note the use of single quote and double quote around the interface names.

ngctl mkpeer fec dummy fec
ngctl msg fec0: add_iface '"sf2"'
ngctl msg fec0: add_iface '"sf3"'
ngctl msg fec0: set_mode_inet
ifconfig sf2 promisc -arp up
ifconfig sf3 promisc -arp up
ifconfig fec0 -arp up

That's it! When sniffing the fec0 interface, you'll see all traffic that sf2 and sf3 see. You can see the results of this process using a few commands. kldstat shows the KLDs that were loaded automatically:

bourque# kldstat
Id Refs Address Size Name
1 4 0xc0100000 43d388 kernel
2 1 0xc211b000 3000 ng_socket.ko
3 2 0xc211f000 9000 netgraph.ko
4 1 0xc212d000 3000 ng_fec.ko

ifconfig shows the new interface:

bourque# ifconfig fec0
fec0: flags=8943 mtu 1500
inet6 fe80::200:d1ff:feed:34df%fec0 prefixlen 64 scopeid 0xe
ether 00:00:d1:ed:34:df
media: Ethernet none
status: active

/var/log/messages shows the fec0 interface in action:

Dec 10 18:27:10 bourque /kernel: fec0: port sf2 in bundle is down
Dec 10 18:27:10 bourque /kernel: fec0: port sf3 in bundle is down
Dec 10 18:27:12 bourque /kernel: fec0: port sf2 in bundle is up
Dec 10 18:27:12 bourque /kernel: fec0: port sf3 in bundle is up

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics