Daemonlogger - copy traffic



  • Hi,
    I try to find a way to span data from OpenVPN side (tun mode) to another interface.
    Trying a lot of way, nothing working for me.
    So, I tried to use daemonlogger.
    Daemonlogger in itself has been installed easily.
    Nevertheless, traffic is not transmitting correctly from one interface to another... Please have a look to the screenshot below.

    Capture du 2020-01-11 15-12-19.png

    Capture du 2020-01-11 15-10-59.png

    Capture du 2020-01-11 15-11-55.png
    As a summary :

    • with tcpdump listening on ovpns1 which is where the intial trafic comes from, logs are readables
    • when tcpdump listenning on em5 which is the interface where daemonlogger send a copy of the traffic, logs are strange and indicating "Ethertype Unknown"...

    I understand daemonlogger is not a pfsense software but the issue is specifically to pfsense...
    Daemonlogger normallly working fine in classical FreeBSD...

    Maybe somebody has an idea? Thanks.



  • Maybe a part of answer here:

    https://success.alienvault.com/s/article/Why-does-a-TCPdump-of-my-monitor-interface-return-ethertype-Unknown

    In some environments, a physical or virtual switch can be configured to use VLANs on the SPAN ports the USM is connecting to. When using this configuration, the appliance will discard this traffic as it is unable to parse VLAN Trunking or other Bridge Protocol encapsulated traffic.

    This message indicates that the network stack is not capable of reading or interpreting the traffic showing this message. As this traffic cannot be read, it will be discarded. This issue can be resolved by configuring your physical or virtual switch to pass the mirrored traffic to the monitor port as IP traffic (ethertype 0x0800).

    In this context, does somebody knowss how to configure pfsense to pass the mirrored traffic to the monitor port as IP traffic (ethertype 0x0800)?

    Are there some security risks to do that?

    Thanks


Log in to reply