Simon Kammerer
2014-05-21 12:30:40 UTC
Hi list!
I'm seeing dup-to duplicating some packets twice while trying to
duplicate all wireless traffic on a bridged access point.
My setup:
mainboard with two onboard NICs (re0, re1) plus PCI wireless adapter (ral0)
re0 and ral0 are bridged:
cat /etc/hostname.re0
up
cat /etc/hostname.ral0
mediaopt hostap
chan 8
nwid dup
wpaprotos wpa2
wpakey sercretkey
up
cat /etc/hostname.bridge0
add re0
add ral0
up
Packets will be duplicated to re1, so I had to give re1 an ip address
cat /etc/hostname.re1
inet 10.1.1.1 255.255.255.0
and because I want dup-to to use 10.1.1.2 as destination that does not
exist (re1 is connected to a good old hub, so more than one analysing
host can see the traffic), a static arp entry is used:
arp -s 10.1.1.2 00:90:27:bb:cc:dd permanent
cat /etc/pf.conf
wlan_if = "ral0"
dup_if = "re1"
dup_adr = "10.1.1.2"
ext_if = "re0"
block
pass in on $wlan_if dup-to ($dup_if $dup_adr)
pass out on $ext_if
Now, when I connect to the wireless network (hostap on ral0) and then
ping a host in the bridged network, I will see one icmp request and one
icmp reply on ral0 (tcpdump -i ral0) as expected, but on re1 (=the
dup-to destination interface) I will see one icmp request but two icmp
replies!
The tcpdump timestamp for the second duplicated reply packet is just one
millionth younger than the first duplicated reply packet
(00:00:00.000000 vs 00:00:00.000001).
when I change pf.conf to
[...]
pass in on $wlan_if
pass out on $ext_if dup-to ($dup_if $dup_adr)
-> now duplicating all packtes that leave $ext_if instead of duplicating
all packets that enter $wlan_if, the icmp request gets duplicated twice
instead of the rely!
Same thing with dns lookups.
Any ideas if I'm completely misunderstanding the concept of dup-to or
what's going wrong or how to provide more information?
Regards
Simon
I'm seeing dup-to duplicating some packets twice while trying to
duplicate all wireless traffic on a bridged access point.
My setup:
mainboard with two onboard NICs (re0, re1) plus PCI wireless adapter (ral0)
re0 and ral0 are bridged:
cat /etc/hostname.re0
up
cat /etc/hostname.ral0
mediaopt hostap
chan 8
nwid dup
wpaprotos wpa2
wpakey sercretkey
up
cat /etc/hostname.bridge0
add re0
add ral0
up
Packets will be duplicated to re1, so I had to give re1 an ip address
cat /etc/hostname.re1
inet 10.1.1.1 255.255.255.0
and because I want dup-to to use 10.1.1.2 as destination that does not
exist (re1 is connected to a good old hub, so more than one analysing
host can see the traffic), a static arp entry is used:
arp -s 10.1.1.2 00:90:27:bb:cc:dd permanent
cat /etc/pf.conf
wlan_if = "ral0"
dup_if = "re1"
dup_adr = "10.1.1.2"
ext_if = "re0"
block
pass in on $wlan_if dup-to ($dup_if $dup_adr)
pass out on $ext_if
Now, when I connect to the wireless network (hostap on ral0) and then
ping a host in the bridged network, I will see one icmp request and one
icmp reply on ral0 (tcpdump -i ral0) as expected, but on re1 (=the
dup-to destination interface) I will see one icmp request but two icmp
replies!
The tcpdump timestamp for the second duplicated reply packet is just one
millionth younger than the first duplicated reply packet
(00:00:00.000000 vs 00:00:00.000001).
when I change pf.conf to
[...]
pass in on $wlan_if
pass out on $ext_if dup-to ($dup_if $dup_adr)
-> now duplicating all packtes that leave $ext_if instead of duplicating
all packets that enter $wlan_if, the icmp request gets duplicated twice
instead of the rely!
Same thing with dns lookups.
Any ideas if I'm completely misunderstanding the concept of dup-to or
what's going wrong or how to provide more information?
Regards
Simon