Use of a passive ethernet tap with Linux.

by Russell Adams

Recently, I've had the pleasure of applying the passive ethernet tap documented at http://www.snort.org/docs/tap/ to a network sniffing project in a large production multiuser environment.

The nature of this tap splits the traffic across the receive channel of two ethernet ports. The traffic must be reconstructed before it can be used for sniffing purposes. Transmission is disabled on the tap ports, and the traffic traveling over the network is unaffected by the presence of the tap.

Michael Peters, the author of the document describing the tap, provided helpful information for using the tap with Solaris. However, use with Linux and other operating systems was left as an exercise to the reader.

Below, I'd like to relate my successful experience using the tap with Debian Linux and the details required for its proper operation.

My network sniffer of choice for this project was a Compaq desktop with several 10/100 3com cards. I applied a clean install of Debian Linux, specifically Woody with the 2.4 kernel.

The network link that I tapped was running full duplex, 100 megabit ethernet. I also tested the tap with half duplex, 10 megabit ethernet.

This diagram demonstrates the setup of the passive tap and the sniffer host.

In Debian, the Linux kernel interface bonding driver is used to reconstruct the traffic from the pair of interfaces attached to the tap. Debian comes with the kernel module required, however there are some utilities required to activate the bonding interface and bind interfaces to it.

The "ifenslave" package contains the necessary utilities to configure the bonding interface. Downloading it and installing it via Debian's Apt Package Manager is simple, and documented below.

# apt-cache search ifenslave
ifenslave - Attach and detach slave interfaces to a bonding device.

# apt-get install ifenslave
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
  ifenslave 
0 packages upgraded, 1 newly installed, 0 to remove and 0  not
upgraded.
Need to get 8412B of archives. After unpacking 73.7kB will be used.
Get:1 http://http.us.debian.org stable/main ifenslave 0.07-1 [8412B]
Fetched 8412B in 0s (24.0kB/s)  
Selecting previously deselected package ifenslave.
(Reading database ... 15297 files and directories currently
installed.)
Unpacking ifenslave (from .../ifenslave_0.07-1_i386.deb) ...
Setting up ifenslave (0.07-1) ...

Before configuring the bonding interface, the bonding kernel module must be loaded.

# modprobe bonding

Now that the ifenslave utility has been installed and the kernel module loaded, we can configure the bonding interface.

To bring the bonding interface online without an IP address, perform the following commands. My example uses eth0 and eth1 for the receiving interfaces attached to the tap.

# ifconfig eth0 promisc up
# ifconfig eth1 promisc up
# ifconfig bond0 promisc up
# ifenslave -e bond0 eth0 eth1

Note that each interface bound to the bond0 interface must be placed in promiscuous mode beforehand. Placing bond0 into promiscuous mode does not change the interfaces bound to it.

Now bond0 can be used as a packet source by the chosen network sniffing tool. In my experience bond0 required an IP address, however this depends on the network sniffing tool and the sniffing methods employed.

The commands loading the kernel module and configuring the interface can easily be scripted to automate configuration of the bond0 interface.

Since transmission is disabled on the interfaces attached to the tap, another network interface would be required for remote administration and other outbound traffic (ie: mail alerts, syslog, ssh, etc).

Best of luck applying the network tap to your network sniffing projects. Comments and suggestions are welcome!

Russell Adams

Copyright 2004 by Russell Adams and Adams Information Services.
to top