The main priority of Network Tap is to perform network traffics logging or network data collection while not interfering network traffics. Normally you can choose to buy expensive network tap or build your own by tweaking network cables. However if you feel that neither you want to buy the network tap since it is too expensive nor tweaking network cable to build the network tap as it is considered unreliable in moderate/high speed network, then you can actually try the setup here. The interesting part about this setup is that you can distribute the network traffics to stand alone traffic collector, I'm not really sure how far it can be extended, since that's possible to distribute the network traffics to multiple traffic collectors by using carp(I haven't tested it but I think it is possible). I will just show the generally easy and simple setup here which looks like this -
------------------
rl0| OpenBSD(3Nics) |rl1
------| (Network Tap) |------
------------------
|vr0
|
--------
| |
| OBSD |
| |
--------
(Traffic Collector)
Both rl0 and rl1 will be built as network bridge, and then every frame that goes through the bridge(transparent since there's no IP address binded to it) will be copied to vr0, Then you can connect the traffic collectors or sensors to the vr0. Keep in mind that you just need straight cable for this setup.
To configure OpenBSD as the Network Tap -
Create bridge pseudo device
# ifconfig bridge0 create
Adding rl0 and rl1 to be the member of bridge0
# brconfig bridge0 add rl0 add rl1 up
To copy every frame from bridge0 to vr0,
# brconfig bridge0 addspan vr0
You may find this familiar, span port on those managed network switch for port mirroring purpose, yes you can do the same with either OpenBSD or FreeBSD box, I'm not really sured about NetBSD or Linux since I haven't tested on it. If you read the man page carefully on brconfig(On FreeBSD platform you can find in man ifconfig)
addspan interface-name
Add the interface named by interface-name as a span port on the
bridge. See the SPAN PORTS section for more details.
SPAN PORTS
The bridge can have interfaces added to it as span ports. Span ports
transmit a copy of every frame received by the bridge. This is most use-
ful for snooping a bridged network passively on another host connected to
one of the span ports of the bridge. Span ports cannot be bridge mem-
bers; instead, the addspan and delspan commands are used to add and
delete span ports to and from a bridge.
Before you collect network traffics, make sure you enable IP forwarding by tuning sysctl value so that the network bridge works properly. Now you have OpenBSD box working as passive network tap, you can connect your BSD/Linux traffic collector or sensor to vr0. The simple way of testing it should be done like this(via second OpenBSD box)
# ifconfig nfe0 promisc -arp up
# tcpdump -i nfe0
Now the traffics is collected by your second OpenBSD box and you can use NSM based applications - argus, snort, bro-ids to perform whatever possible.
This is very neat as it is completely transparent, I don't recommend monitoring bridge interface using those NSM based applications in the same box unless your boss want to save the cost, this setup can survive moderate speed network pretty well with good hardware since there's no applications but only the Operating System running(I don't have chance to test on high speed network such as gigabit fabric, maybe someone can test it if possible)
Hopefully this is useful. I'm pretty sured you can't build the same setup with FreeBSD Operating System.
