Network Tap Splitter

[craigsmooth]

We are looking to use a Gigamon G-Tap AS-F. It copies the send and receive traffic to separate ports and does not aggregate. Does security onion support this? Are there any special configurations within Oracle Linux that need to be made? Thank you.

[TotieBash]

You just need to configure an additional monitor-interface (ex. "sudo so-monitor-add eth2").

[craigsmooth]

I guess my question is: "Is it possible to have the rx traffic and tx traffic for a monitored port to come through two different interfaces / sfp / transceivers)? I don't know how to make oracle linux see that the interface is up when I am only receiving one side of the traffic. I can't get a link light on the interface. Thanks for any guidance

[TotieBash]

The answer is still "so-monitor-add".

You will take both "Montitor/Tool" A and B interfaces coming from Gigamon and connect it to Security Onion. If both interfaces are new and has not been added to SO then you issue the command against both interfaces. Assuming interface names are eth1 and eth2:

sudo so-monitor-add eth1
sudo so-monitor-add eth2

You can add multiple monitor/sniffer interface to SO and so-monitor-add will take the interface and add it to "bond0" which aggregates the interfaces. You can check bond0 interfaces details with "nmcli device status" or with semi-gui "nmtui".
https://docs.securityonion.net/en/2.4/so-monitor-add.html#so-monitor-add

[craigsmooth]

Thanks. So, I did add eno7 and eno8 at install time as monitor interfaces so they are part of the bond interface. However, I get no link light and it shows those interfaces as down. I can only guess it is because I am only using the rx side of the transceiver on both interfaces. Both of those monitor/tool interfaces in your diagram above are tx only. So, security onion sees those interfaces as down. I would expect if I did a tcpdump on eno7 or eno8 I shoud see one half of the traffic but I see nothing. So, I guess I'm just not sure how to monitor those two interfaces if linux sees them as being down. Thanks for any help!

[TotieBash]

I see. No link light on both eno7 and eno8. I have a feeling that the sfp/sfp+ module you use on Gigamon is not compatible with the sfp/sfp+ module that is connected to SecurityOnion. Here are the things to look:

1. Is the network being tap 10gig using SFP+? Try using 10gig DAC cables. Or try using 10gig Copper SFP+
2. What NIC card is on SO? Make sure you are not using SFP+ on a 1GIG NIC card..

Bottom line, it is a layer 1 problem. I think you have mismatch or incompatible SFP/SFP+ modules. The easy test is if you have DAC cables, it is 100% both ends of the cable matches...

[craigsmooth]

Thanks, so would you expect to see a link light using only one strand of fiber (tx) tap to (rx) security onion?
TAP:
MON-A Security Onion
[]tx-----------------rx[]
[]______ EMPTY_____[]

MON-B
[]tx-----------------rx[]
[]______ EMPTY_____[]

[TotieBash]

Yes. you should get a link light..

Your above drawing is spot on, that is exactly how it works in regards to GIGAMON monitor interfaces A&B are TX only and the other cable is not being used. The TX is where the fiber light is sourced but I obviously don't use your eyes to verify this...

minute 3:20-4:20 explains how it is only using one strand of the fiber pair and how you should separate the LC fiber cable pair on a passive network taps. But yours is is an active network tap so you don't need to do any separating of any fiber pair.
https://www.youtube.com/watch?v=_TNPbvSIYm4

This explains how you cable it. This one uses a network packet broker which is represented by the bottom-black-switch. But think of that as the SO. Again this is using passive network tap but similar concept apply. Notice how it takes up two ports on SO and only one strand of the fiber is required to be cabled in.
https://www.youtube.com/watch?v=CS51WrqfmWw

Bottom line, whether you are using passive or active network tap it should get a link light. Especially your Gigamon active network tap, the fact that there is led activity light on your "Monitor Tool" interfaces should be the dead giveaway.

[craigsmooth]

I am still pulling my hair out over this. I have 4 new supported SFPs from Gigamon. 2 installed in the monitor ports of the tap and 2 installed in the sensor. I am unable to get a link on my monitor ports and my bond0 interface also shows as down. Any other guidance on how to use two ports from a non-aggregating tap so that Oracle Linux sees the interfaces as up in receive only mode?