2.13. Setup packet captures for Trisul

This section explains the various methods to acquire raw network packets from your infrastructure and into a Trisul Probe.

Sections in this document

  • Port Mirror – recommended for most enterprises < 500 Mbps
  • Network Taps – recommended for links > 500Mbps
  • Bridges – for small offices and appliances only

Virtual Machine configuration

If you are installing Trisul on a Virtual Machine, you may need to put the Virtual Switch in promiscuous mode to capture the traffic on the Physical port span. See this link for instructions for VMWare

2.13.1 Configuring port mirror / SPAN Port

The following diagram shows how you can configure a SPAN port and feed packets into Trisul. See your switch vendor’s documentation on configurating a Port SPAN session. [ Cisco SPAN documentation ]

2.13.2 Using Network Taps

SPAN ports quickly become unweildy as network speeds increase. Network taps are available as Copper and Optical modules that are the preferred choice for high speed networks.

2.13.3 Using Trisul as a bridge

For small office networks you can even use 2 Ports of the box running Trisul and create a bridge. This places Trisul as an inline device.

Bridging Ethrenet Connections

A bridge allows you to connect two or more network segments together allowing devices to join the network when it’s not possible to connect them directly to a router or switch

How to bridge

Install the bridge-utils package.
sudo apt-get install bridge-utils
Automatically Create the Bridge at Start-up
Sample /etc/network/interfaces file

#eth0
auto eth0
iface eth0 inet manual
up ifconfig eth0 up
#eth1
auto eth1
iface eth1 inet manual
up ifconfig eth1 up
#bridge br0
auto br0
iface br0 inet static
address 192.168.2.79
gateway 192.168.2.1
netmask 255.255.255.0
bridge_ports eth0 eth1
Restart networking
 sudo /etc/init.d/networking restart 
Install the bridge-utils package.
yum install  bridge-utils
To create a network bridge, create a file in the /etc/sysconfig/network-scripts/ directory called ifcfg-br0
sample /etc/sysconfig/network-scripts/ifcfg-br0

DEVICE=br0
TYPE=Bridge
IPADDR=192.168.2.78
GATEWAY=192.168.2.1
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
NM_CONTROLLED=no
DELAY=0
To complete the bridge another interface is created, or an existing interface is modified, and pointed to the bridge interface sample /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
TYPE=Ethernet
HWADDR=AA:BB:CC:DD:EE:FF
BOOTPROTO=none
ONBOOT=yes
NM_CONTROLLED=no
BRIDGE=br0
sample /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1
TYPE=Ethernet
HWADDR=AA:BB:CC:DD:EE:FG
BOOTPROTO=none
ONBOOT=yes
NM_CONTROLLED=no
BRIDGE=br0
Restart networking
 /etc/init.d/netwok restart