Listen Multiple Interfaces

[dtouzeau]

Hi !

We send mirrored traffic to several network interfaces, but it seems that ndpid can only listen to one interface.
However, using tc or TEE in iptables does not transmit packets that have already been duplicated.
The simplest solution is for ndpid to be able to listen to several interfaces at the same time, like suricata.
Is it possible to consider

netif = eth0,eth1,eth2 ?

This would avoid the need to run several daemons per interface, thus increasing the internal efficiency of the process.

[utoni]

That should be possible. But there are some obstacles within nDPId. The initial design was not meant to have multiple interfaces listening at the same time. I need to investigate if that is possible with libpcap and PF_RING.

[dtouzeau]

We using pf-ring with suricata, that should be great!

[ummeegge]

Hello, this might be indeed a pretty interesting enhancement. I use nDPId currently on a IPFire firewall platform and there are at least four different interfaces, three local and one WAN interface. The whole traffic can be grabbed via the WAN (or red0) interface whereby the src or dst is always the red0 interface but the local IPs are hidden so it would be better to collect the local interfaces.

By the way thanks for your work on this awesome piece of software :-) .

Best,

Erik

[utoni]

Supporting capture on multiple network interfaces per nDPId instance will take some time, as the core needs some changes to make this work. But all I can say, it's possible to do.

[ummeegge]

Great news, thank you for looking into this.

Best,

Erik