Configuring virtual network interface as sniffing interface

0

I have a Snort IDS running Ubuntu Server 16.04 with one physical ethernet interface (eno1). I have configured two virtual network interfaces using the eno1 interface: eno1:0 for the sniffing interface and eno1:1 for the management interface, which is configured with a static IP address. The problem I am experiencing is that only the management interface (eno1:1) is up, while the sniffing interface (eno1:0) is down as indicated in the below output of ifconfig:

eno1      Link encap:Ethernet  HWaddr c4:34:6b:61:d1:b3
          inet6 addr: fe80::c634:6bff:ac61:d1b3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28019 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1046 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3471780 (3.4 MB)  TX bytes:116452 (116.4 KB)
          Interrupt:20 Memory:f7c00000-f7c20000

eno1:1    Link encap:Ethernet  HWaddr c4:34:6b:61:d1:b3
          inet addr:192.168.1.154  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:20 Memory:f7c00000-f7c20000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:162 errors:0 dropped:0 overruns:0 frame:0
          TX packets:162 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:12020 (12.0 KB)  TX bytes:12020 (12.0 KB)

Below are the settings for both the sniffing and management interfaces contained in /etc/network/interfaces:

# sniffer interface
auto eno1:0

iface eno1:0 inet manual
        up ifconfig $IFACE 0.0.0.0 up
        up ip link set $IFACE promisc on
        down ip link set $IFACE promisc off
        down ifconfig $IFACE down

post-up ethtool -K eno1:0 gro off
post-up ethtool -K eno1:0 lro off

# management interface
auto eno1:1

iface eno1:1 inet static
        address 192.168.1.154
        netmask 255.255.255.0
        broadcast 192.168.1.255
        gateway 192.168.1.2
        dns-nameservers 1.1.1.1

The configuration settings for the sniffing interface have been used from this link, but the sniffing interface does not go up. What could be the problem?

synthesis

Posted 2018-06-18T18:35:01.980

Reputation: 41

Answers

0

On modern Linux, eno1:0 and eno1:1 is just an artefact that was used to assign multiple IP addresses to a single interface eno1. The newer utility ip does this directly. So these are not really "virtual interfaces".

In particular, you can't put one of them in promiscuous mode, while the other is normal.

Is there anything that prevents you from just using eno1, configure it normally, and just let snort put it into promiscuous mode?

dirkt

Posted 2018-06-18T18:35:01.980

Reputation: 11 627

With regards to only using eno1, that is the current setting and it works. Reason for using two virtual interfaces was to follow the best practice of separating the management interface from the sniffing interface. – synthesis – 2018-06-19T09:24:47.780

To my knowledge, it's not possible to split a single physical interface into virtual interfaces this way. Either the interface is promiscuous, or it is not. (Though you could e.g. use a MACVLAN, but then it will have a different MAC address, should the process using it decide to send packets instead of just receiving them, so it's more like two different interfaces on the same LAN segment, and not like a normal interface and a sniffing interface). But I'm sure someone will correct me if I'm wrong. :-) – dirkt – 2018-06-19T09:33:33.663

Asked: 2018-06-18T18:35:01.980

Viewed: 454 times

Active: 2018-06-19T09:06:39.913