First of all you can check if you are receiving VLAN traffic on your the port mirror you are listening to:
tcpdump -nivvveeth2
172.29.24.218.8888 > 10.196.12.218.62165: Flags [.], cksum 0xe6f8 (correct), seq 1932, ack 2509758, win 19660, options [nop,nop,TS val 48091469 ecr 3064787], length 0 12:34:20.377983 00:10:db:ff:21:60 > 00:00:0c:07:ac:0f, ethertype 802.1Q (0x8100), length 70: vlan 2300, p 0, ethertype IPv4, (tos 0x0, ttl 63, id 17567, offset 0, flags [none], proto TCP (6), length 52)
Fprobe does have an option to process VLAN traffic.
You have to start fprobe like this: (man fprobe)
Capturing from trunk interface:
fprobe -ieth0 -f"vlan&&ip" -K18 localhost:2055
If for some reason the previous command does not work for you, or you want to be able to send single flows per VLAN, you can try the following workaround:
- Change the mtu to 1520 bytes and check with ifconfig that the interface is not dropping packages.
- Create interfaces on every of this vlans.
- /etc/network/interfaces
av-appliance-sensor:~# cat /etc/network/interfaces
#This file describes the network interfaces available on your systemand how to activate them. For more information, see interfaces(5).
#The loopback network interface
auto lo
iface lo inet loopback
#The primary network interface
#allow-hotplug eth0
auto eth0
iface eth0 inet static
address 172.29.60.35
netmask 255.255.255.0
network 172.29.60.0
broadcast 172.29.60.255
gateway 172.29.60.1
#dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 10.128.4.7
dns-search alienvault
auto eth2
iface eth2 inet manual
up ifconfig eth2 0.0.0.0 up mtu 1520 promisc
up modprobe 8021q
auto eth2.1100
iface eth2.1100 inet manual
up ifconfig eth2.1100 up promisc
vlan_raw_device eth2
auto eth2.1200
iface eth2.1200 inet manual
up ifconfig eth2.1200 up promisc
vlan_raw_device eth2
auto eth2.1300
iface eth2.1300 inet manual
up ifconfig eth2.1300 up promisc
vlan_raw_device eth2
auto eth2.2300
iface eth2.2300 inet manual
up ifconfig eth2.2300 up promisc
vlan_raw_device eth2
auto eth4
iface eth4 inet manual
up ifconfig eth4 0.0.0.0 up mtu 1520 promisc
up modprobe 8021q
auto eth4.1100
iface eth4.1100 inet manual
up ifconfig eth4.1100 up promisc
vlan_raw_device eth4
auto eth4.1200
iface eth4.1200 inet manual
up ifconfig eth4.1200 up promisc
vlan_raw_device eth4
auto eth4.1300
iface eth4.1300 inet manual
up ifconfig eth4.1300 up promisc
vlan_raw_device eth4
auto eth4.2300
iface eth4.2300 inet manual
up ifconfig eth4.2300 up promisc
vlan_raw_device eth4
auto eth5
iface eth5 inet static
address 172.29.49.46
netmask 255.255.255.240
network 172.29.49.32
broadcast 172.29.60.47
- Start an fprobe instance for every vlan subinterface
- Replace fprobe's start script and with fprobeAdditional
av-appliance-sensor:~# mkdir /root/bck
av-appliance-sensor:~# mv /etc/init.d/fprobe /root/bck/init.d.fprobe
av-appliance-sensor:~# ln -s /etc/init.d/fprobeAdditional /etc/init.d/fprobe
- av-appliance-sensor:~# cat /etc/init.d/fprobeAdditional
#!/bin/bash
case "$1" in
start)
/usr/sbin/fprobe -ieth2.1100 -fip 172.29.60.34:11100
/usr/sbin/fprobe -ieth2.1200 -fip 172.29.60.34:11200
/usr/sbin/fprobe -ieth2.1300 -fip 172.29.60.34:11300
/usr/sbin/fprobe -ieth2.2300 -fip 172.29.60.34:12300
/usr/sbin/fprobe -ieth2 -fip 172.29.60.34:12000
/usr/sbin/fprobe -ieth4.1100 -fip 172.29.60.34:11100
/usr/sbin/fprobe -ieth4.1200 -fip 172.29.60.34:11200
/usr/sbin/fprobe -ieth4.1300 -fip 172.29.60.34:11300
/usr/sbin/fprobe -ieth4.2300 -fip 172.29.60.34:12300
/usr/sbin/fprobe -ieth4 -fip 172.29.60.34:12000
;;
stop)
killall -15 fprobe
sleep 5
;;
restart|force-reload)
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
- Assign correct permissions to /etc/init.d/fprobeAdditional:
chmod 755 /etc/init.d/fprobeAdditional
- Check monit is not going to fail because of the changes we just made:
monit -t
/etc/init.d/monit restart
ps axf|grep monit
- Create the script /usr/local/sbin/checkFprobe with the following content:
av-appliance-sensor:~# cat /usr/local/sbin/checkFprobe
#!/bin/bash
PROCESS2MONITOR=fprobe
STARTCOMMAND="/etc/init.d/fprobeAdditional start"
NUMBEROFPROCESSES=`sed -n '/start)/, /;;/p' /etc/init.d/fprobeAdditional |grep -v ^#|grep fprobe|wc -l`
getNumProcesses () {
currentNumProcesses=`ps axf|grep $PROCESS2MONITOR|grep -v grep|wc -l`
}
restartProcesses () {
if [ $currentNumProcesses -ne $NUMBEROFPROCESSES ]; then
echo "Stopping fprobe processes"|logger
while [ $currentNumProcesses -ne 0 ]; do
killall -15 $PROCESS2MONITOR
sleep 5
getNumProcesses
sleep 1
done
echo "Starting fprobe processes"|logger
$STARTCOMMAND
fi
}
getNumProcesses
restartProcesses
exit 0
- Change the permissions to /usr/local/sbin/checkFprobe
chmod 750 /usr/local/sbin/checkFprobe
- Create a cron entry to run /usr/local/sbin/checkFprobe:
av-appliance-sensor:~# cat /etc/cron.d/checkFprobe
*/5 * * * * root /usr/local/sbin/checkFprobe
- Change the rc2 start script:
mv /etc/rc2.d/S20fprobe /root/bck/rc2.d.S20fprobe
ln -s /etc/init.d/fprobeAdditional /etc/rc2.d/S20fprobe
- Check we havent broken monit with our changes:
monit -t
/etc/init.d/monit restart
ps axf|grep monit
