Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Daemonlogger - copy traffic

    Scheduled Pinned Locked Moved Traffic Shaping
    2 Posts 1 Posters 496 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MH5Dx
      last edited by MH5Dx

      Hi,
      I try to find a way to span data from OpenVPN side (tun mode) to another interface.
      Trying a lot of way, nothing working for me.
      So, I tried to use daemonlogger.
      Daemonlogger in itself has been installed easily.
      Nevertheless, traffic is not transmitting correctly from one interface to another... Please have a look to the screenshot below.

      Capture du 2020-01-11 15-12-19.png

      Capture du 2020-01-11 15-10-59.png

      Capture du 2020-01-11 15-11-55.png
      As a summary :

      • with tcpdump listening on ovpns1 which is where the intial trafic comes from, logs are readables
      • when tcpdump listenning on em5 which is the interface where daemonlogger send a copy of the traffic, logs are strange and indicating "Ethertype Unknown"...

      I understand daemonlogger is not a pfsense software but the issue is specifically to pfsense...
      Daemonlogger normallly working fine in classical FreeBSD...

      Maybe somebody has an idea? Thanks.

      1 Reply Last reply Reply Quote 0
      • M
        MH5Dx
        last edited by

        Maybe a part of answer here:

        https://success.alienvault.com/s/article/Why-does-a-TCPdump-of-my-monitor-interface-return-ethertype-Unknown

        In some environments, a physical or virtual switch can be configured to use VLANs on the SPAN ports the USM is connecting to. When using this configuration, the appliance will discard this traffic as it is unable to parse VLAN Trunking or other Bridge Protocol encapsulated traffic.

        This message indicates that the network stack is not capable of reading or interpreting the traffic showing this message. As this traffic cannot be read, it will be discarded. This issue can be resolved by configuring your physical or virtual switch to pass the mirrored traffic to the monitor port as IP traffic (ethertype 0x0800).

        In this context, does somebody knowss how to configure pfsense to pass the mirrored traffic to the monitor port as IP traffic (ethertype 0x0800)?

        Are there some security risks to do that?

        Thanks

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.