Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

Thu, 20 Mar 2014 13:15:05 -0700 

I’m attempting to monitor traffic on my LAN, I have inserted a non-aggregating 
network tap between my firewall (not openbsd) and my enet switch.

I wired the two monitor ports of the network tap to two ethernet interfaces 
(em2 and em3) on an openbsd machine (running 5.3 at present), em0 on
this machine is the regular network port.

I’m attempting to configure pf etc. in order to facilitate monitoring and 
analyzing the traffic on my lan.  
I started with just the em2 interface and associated tap output, which monitors 
traffic from my LAN to the firewall.

AFAICT, the interfaces I use for this monitoring need to be “UP” and in 
“PROMISC” (promiscuous) mode, correct?

So far, the only way I know I can do that is by adding the interface to a 
bridge.  Is there another/better way?

So, I have:

        ifconfig em2 up

        ifconfig bridge0 add em2
        ifconfig bridge0 rule pass in on em2 tag tap_b
        ifconfig bridge0 up

I’d like to configure pf as follows:

        Log all traffic on em2/bridge0 to (ideally a specific) pflog interface

        Also “log” flows on em2/bridge0 to (ideally a specific) pflow interface

        Leave em0 alone (in its default state), and don’t “duplicate” logging 
of packets received
        on this interface to pflog/pflow interfaces above.

        And after that, basically replicate the em2/bridge0 logging with
        similar logging for em3/bridge1, to distinct pflog/pflow interfaces.

Here is my current pf.conf, it doesn’t do what I want above, but this is only 
thing I have
gotten to work at all:

        set state-defaults pflow
        set skip on lo

        pass log on bridge0

        block           # block stateless traffic
        pass            # establish keep-state

        block in on ! lo0 proto tcp to port 6000:6010

Is there a better way to log packets received on the bridge than by “pass” ing 
them?
I tried to tag the packets coming in from em2 in the bridge config, but haven’t 
yet figured out how to use that tag to 
help me log.

With the above, and with

        ifconfig pflow0 flowsrc 192.168.128.61 flowdst 192.168.128.61:1234 
pflowproto 9

I’ve gotten some flow data to show up and I’ve used nfsen to look at it.

I’d greatly appreciate any advice/pointers on how I can do what I describe 
above.
I’ve spent many hours trying different things, reading man pages, and books 
(The Book of PF, Network Flow Analysis, etc)

Don

Reply via email to