How to see all traffic on all interfaces?
-
Hi, I want to copy all traffic on all interfaces to another one, and have snort listening. Basically I want to create a SPAN port for all interfaces and VLANs on the firewall, because I only want one instance of snort running. I do this on my switch with a SPAN port, I figure there must also be a way to do it in the firewall. I tried creating an bridge, with all the interfaces as members and one unused one as the SPAN port. I must not really understand what a bridge is because I only am able to see broadcast traffic. Is there a way to see all the traffic?
-
a firewall is not a switch.
-
I don't really get it.. I feel like there should be a way to do it. Otherwise I need to have like 3 or 4 instances of snort running. Also on other forums it's hinting at a way of being able to do it with a bridge, I just don't really understand how or what the purpose of a bridge is.
-
I don't really get it.. I feel like there should be a way to do it.
I just don't really understand how or what the purpose of a bridge is.
Yes it is possible.
Think of your standard desktop switch as a bridge. A MAC bridge.. Your trying to build a type of managed switch by using pfsense as the OS.
-
Can you elaborate a little bit? You're not being very clear. I just want to know, in a setup with multiple VLANs, WANs, and multiple physical NICs, is there a way to have only instance of snort running?
-
No.
-
Can you elaborate a little bit? You're not being very clear. I just want to know, in a setup with multiple VLANs, WANs, and multiple physical NICs, is there a way to have only instance of snort running?
Run snort on each parent interface, it picks up all the vlan traffic.
