-
Notifications
You must be signed in to change notification settings - Fork 130
/
README.promisc
120 lines (79 loc) · 3.48 KB
/
README.promisc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
Hello,
If you wish to account with ipt-netflow module traffic mirrored on switch you may follow
one of these examples:
Solution 1: Promisc-hack module option. [2014]
Solution 2: General kernel patch. [2008]
Solution 3: Alternative w/o kernel patch, using bridges. [2010]
**************
* Solution 1 *
**************
No kernel patching is need anymore! (As in easy.)
Compile module with `./configure --enable-promisc' option. This will enable
`promisc=' module parameter and sysctl parameter `net.netflow.promisc'.
Set any of these to `1' to enable promisc hack, you will see dmesg message
that it's enabled, set to `0' to disable (default).
This option turned on will pass promisc traffic into `PREROUTING' chain
of `raw' table (same as with promisc patches). Briefly it's like this:
# cd ipt-netflow/
# ./configure --enable-promisc
# make all install
# iptables -A PREROUTING -t raw -i eth2 -j NETFLOW
# sysctl net.netflow.promisc=1
# ifconfig eth2 promisc
# grep Promisc /proc/net/stat/ipt_netflow
Now you should be able to see promisc observed packets count increasing.
Note, that enabling module's parameter promisc=1 will not enable promiscuous
mode on network cards, these are completely different things. This option will
let iptables to see promisc traffic. That traffic will not be routed anywhere
and discarded just after passing PREROUTING chain.
Do not enable this option if you have kernel already patched with promisc
patch, as this may cause double accounting. Just keep it disabled or remove
the patch. Promisc patching is completely custom and non-standard, so if you
did not apply it - you are most probably safe to use promisc option. But, if
in doubt - measure if module seeing traffic in raw/PREROUTING, if it isn't - you
don't have the patch applied and certainly safe to use the option.
**************
* Solution 2 *
**************
1. Patch your kernel with `raw_promisc.patch' to enable raw table to see promisc traffic.
# cd /usr/src/linux
# patch -p1 < ~/ipt_netflow/raw_promisc.patch
Then recompile and reinstall patched kernel.
2. For example you mirroring traffic on your Cisco switch to 47th vlan:
# interface FastEthernet0/32
# description this port with vlan 47
# switchport trunk encapsulation dot1q
# switchport mode trunk
# !
# interface FastEthernet0/33
# port monitor FastEthernet0/32
# !
3. Enable promisc mode on interface to actually see the packets:
# /sbin/ifconfig eth1 promisc
4. Configure vlan on your linux box:
# /sbin/vconfig add eth1 47
# /sbin/ifconfig eth1.47 up
5. Compile module:
# make clean all install
6. Load ipt_netflow module:
# /sbin/modprobe ipt_NETFLOW hashsize=160000 destination=127.0.0.1:9800
7. Direct all packets from 47th vlan to ipt_netflow module:
# /sbin/iptables -A PREROUTING -t raw -i eth1.47 -j NETFLOW
Voila.
ps. For Debian Squeeze instructions look at raw_promisc_debian_squeeze6.patch
**************
* Solution 3 *
**************
By Anonymous.
> raw promisc hack is not needed
> there is a more elegant way to capture port mirrored traffic:
>
> 1. create a bridge of eth0 and dummy0
> 2. put eth0 to promisc
> 3. add a "-i br0 -j NETFLOW" rule to FORWARD (possibly also -j DROP after that)
>
> ...for some reason it works when ipt_netflow is attached to a bridge, but
> requires the promisc hack when attached to a real promisc interface.
Sometimes you may need to run:
# brctl setageing br0 0
for this scheme to work.