# preferred ifconfig for pure traffic analysis/IDS?



## gardner (Nov 6, 2020)

I am on 11.4R amd64.  I have a hardware NIC (fxp0) that I want to do pure traffic analysis on using snort, tcpdump or the equivalent.  It is physically connected to my switch on a port that will be configured to mirror other ports from time to time.  But I do not want this interface to ever be a real IP interface.  I've found that the interface must be "up" to receive anything, but it seems that if I don't configure an IP address, it only sees ethernet broadcast/multicast, which seems weird.  I have configured:


```
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
        ether 00:90:27:aa:aa:aa
        hwaddr 00:90:27:aa:aa:aa
        inet 0.0.0.0 netmask 0xff000000 broadcast 0.255.255.240
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```

This works as expected and can gather the traffic I expect to be able to see and analyse.  Is using IPv4 address 0.0.0.0 a sensible choice?  Is there a preferred ifconfig arrangement for this purpose?


----------



## eldaemon (Nov 6, 2020)

Try promisc, at least that's what you would use on Linux.


----------



## SirDice (Nov 7, 2020)

gardner said:


> I've found that the interface must be "up" to receive anything, but it seems that if I don't configure an IP address, it only sees ethernet broadcast/multicast, which seems weird.


That's how switches work. It will only ever put traffic on that port that's actually destined for the attached MAC address and multicast/broadcasts. It has nothing to do with the settings on FreeBSD. Managed switches allow you to configure a 'mirror' or monitor port, that's a specific switch configuration that will duplicate all traffic on the switch to that port. 






						Port mirroring - Wikipedia
					






					en.wikipedia.org


----------



## gardner (Nov 10, 2020)

I have settled on
`ifconfig fxp0 monitor promisc`

promisc is not essential, since the analysis programs would put the NIC in promiscuous anyhow, but "monitor" is exactly what I want -- it is expressly designed for this application.


----------



## gardner (Nov 10, 2020)

SirDice said:


> That's how switches work



Well, obviously -- I did already say I was using port mirroring on my switch.  The thing I found weird was that simply configuring the NIC "up" and promiscuous via tcpdump wasn't enough to receive the non-broadcast traffic at that port.  "monitor" works fine though, and is designed for the job.


----------



## gardner (Nov 13, 2020)

Okay, I have been dinking with netgraph(4) and ng_netflow(4) according to the very useful writeup on nfdump by woodsb02.

I have found that if I configure the monitor interface with ifconfig monitor, that the frames are discarded before being passed to netgraph and therefore I can't use "monitor".  I believe I can build a netgraph configuration that explicitly discards the network traffic, after generating the netflow data, but I am unclear on how to do this.  If anyone has pointers on this, I'd be grateful.  Currently I have:

```
ngctl -f- <<-DONE
        mkpeer fxp0: netflow lower iface0
        name fxp0:lower netflow
        connect fxp0: netflow: upper out0
        mkpeer netflow: ksocket export inet/dgram/udp
        msg netflow:export connect inet/127.0.0.1:4444
        msg netflow:setconfig {iface=0 conf=7}
DONE
```
I am a total newby on netgraph, so any pointers would be welcome.  Thanks.


----------

