Aggregating NICs for receive only connections on Linux

networking linux network-monitoring

Solution 1:

Caveat: I've never configured such a beast in practice.

What you're proposing should be fine -- as long as the bonded interface is receive only any bonding mode that allows you to receive on both interfaces will do what you want.
I would suggest balance-xor or balance-rr simply because you don't need to assign an IP (you'll be listening in promiscuous mode to every packet) and you won't be transmitting so the potential downsides of Round-Robin or XOR balancing won't affect you, and the benefits of any other method are meaningless.

There are a few bonding modes I'd avoid for this implementation:

  • Mode 1 (active-backup)
    This mode places one NIC in a "standby" mode. You need to use a bonding mode where both NICs are "active" (or at least receiving packets) for what you're trying to do.

  • Mode 3 (broadcast -- Everything transmitted goes out every interface)
    Even though a proper tap won't let you put data onto the network you're monitoring it's better to be safe than sorry. This mode can really mess with your day if one of the interfaces gets connected to something that will accept packets.

  • Mode 4 (802.3ad Link Aggregation)
    Since this requires a switch that understands 802.3ad link aggregation, and you're plugging in to a tap, this probably won't work properly.

An alternate option would be to use something like the Netgraph system (the one2many module is the best candidate) to construct a virtual interface that reassembles the traffic (and ultimately sends it out to a black hole, with your IDS listening in at the output end). This would be a more viable solution on the BSD family of operating systems, though there are Netgraph implementations available for Linux.

Solution 2:

You are correct that nearly any mode will do.

If you were not using a tap, then the important configuration would be in your network switch. You would have to pick a load balancing option that would split as evenly as possible the load between your 2 nics. Per packet round robin should result in the best split but most switches don't support that. Next best option would be IP if the hosts your are monitoring are mostly on a different subnet, or mac address if they are mostly on the same subnet.

Since you are using a tap, no additional configuration should be needed other than bonding the nics.

Related

Is it possible to get the matched regex from within the apache LocationMatch directive?
Getting network interface device name in powershell
IIS 7 desktop icon cannot be renamed to “IIS Manager”
Is it reasonable to put all printers to another subnet?
0x19 KDC_ERR_PREAUTH_REQUIRED in my event log
Users are getting a temporary profile
Empty AAAA DNS Record with long TTL?
<VirtualHost fqdn.mydomain.com:80> not recommended?
PHP-FPM signals for pool error_log rotation
SSH multi-hop connections with netcat mode proxy
"Shutdown" in a show running configuration
How to log what an FTP user does with Pure-FTPD and Apache?