[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Network tap issues
From: Scott Sakai <ssakai () sdsc ! edu>
Date: 2017-06-21 19:20:12
Message-ID: 3e7d52aa-ac6b-1cac-bf29-dd8484897fc5 () sdsc ! edu
[Download RAW message or body]
Hi Mark,
As others have mentioned, the connection from the output of your tap to the
capture nic needs some attention. Unlike a switch port, both sides of the
duplex output port are outputs (light comes out). If you plug this into a
nic with a duplex fiber, you'll blast light into the internet <-> switch
link, which is definitely not going to do you any favors.
You'll have to split the capture side of the fiber pair, and plug the
single fiber into the RX port on the. For now, leave the other end
dangling until you decide how to aggregate the two; this is just for testin=
g.
A reminder to never look into the end of a fiber, or into a port, even if
you think it's off or shut down. You can do some permanent damage to your
retinas, especially with LR optics, which use an invisible laser. Been
there, done that, still got the scarring. These days, I use the camera on
my cell phone, which has no direct optical path to the screen, plus it
picks up near infra-red wavelengths, used in LR optics. Not that I suggest
using this technique; the proper tool for light-path diagnostics is a light
meter.
With that in mind, do the optics in the capture nic match the optics in the
switch behind the tap? In most cases, an SR optic won't respond to LR
light and vice-versa. The link led will come on if the interface is up
(ifconfig up) and the RX side receives properly-coded light of sufficient
brightness. Thus, assuming the interface is up and the light-path is
otherwise good, you might have a mismatch, or a bad optic in the capture ni=
c.
Good luck!
On 06/21/2017 07:07 AM, Daniel Manzo wrote:
> Thanks for the response! Unfortunately, we have tried that, but still no
> luck. I=92m not sure what else could be wrong.
> =
> =
> =
> *From:*Mark Buchanan [mailto:mabuchan@gmail.com]
> *Sent:* Wednesday, June 21, 2017 9:46 AM
> *To:* Daniel Manzo
> *Subject:* Re: [Bro] Network tap issues
> =
> =
> =
> Flip both TX and RX around. The tap is in "backwards" meaning the light
> is not flowing the right direction to hit the optical splitter and get to
> your sensor. It as acting more as a "combiner", which could be bad if
> someone pushes light from your tap to the circuit.
> =
> --
> =
> Mark Buchanan
> =
> =
> On Jun 21, 2017, at 07:20, Daniel Manzo <daniel.manzo@bayer.com
> <mailto:daniel.manzo@bayer.com>> wrote:
> =
> Hi all,
> =
> =
> =
> I have Bro 2.5 configured on a RHEL 7.3 server and have a network tap
> question, which I know isn=92t totally Bro related, but I figured the=
Bro
> community would be able to advise. The tap I have is a passive fiber
> tap (OM3/4, 850mm, 50/50) enabled for up to 10Gb throughput. The
> connection in port A is coming from Level 3 internet and the connecti=
on
> in port B is going to a network switch. The monitor port is connected
> to my Bro server. The problem is that I am seeing no traffic at all
> coming from the monitor, and the light on the server NIC doesn=92t ev=
en
> light up. However, I am still able to access the internet from my
> server, despite receiving no traffic from the monitor. Basically the
> connection from A to B works, but the monitor is not mirroring traffi=
c.
> We have tested the tap before in other areas of our network, and it w=
as
> working, so I=92m not sure why it is not working in this location. Any
> and all help is appreciated!
> =
> =
> =
> Thank you,
> =
> Dan Manzo
> =
> =
> =
> _______________________________________________
> Bro mailing list
> bro@bro-ids.org <mailto:bro@bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> =
> =
> =
> _______________________________________________
> Bro mailing list
> bro@bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> =
-- =
Scott Sakai
Security Analyst
San Diego Supercomputer Center
ssakai@sdsc.edu
+1-858-822-0851
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic