nDPId icon indicating copy to clipboard operation
nDPId copied to clipboard
verified publisher icon utoni

Listen Multiple Interfaces

Open dtouzeau opened this issue 11 months ago • 5 comments

Hi !

We send mirrored traffic to several network interfaces, but it seems that ndpid can only listen to one interface. However, using tc or TEE in iptables does not transmit packets that have already been duplicated. The simplest solution is for ndpid to be able to listen to several interfaces at the same time, like suricata. Is it possible to consider

netif = eth0,eth1,eth2 ?

This would avoid the need to run several daemons per interface, thus increasing the internal efficiency of the process.

dtouzeau avatar Jan 23 '25 14:01 dtouzeau

That should be possible. But there are some obstacles within nDPId. The initial design was not meant to have multiple interfaces listening at the same time. I need to investigate if that is possible with libpcap and PF_RING.

utoni avatar Jan 24 '25 08:01 utoni

We using pf-ring with suricata, that should be great!

dtouzeau avatar Jan 25 '25 08:01 dtouzeau

Hello, this might be indeed a pretty interesting enhancement. I use nDPId currently on a IPFire firewall platform and there are at least four different interfaces, three local and one WAN interface. The whole traffic can be grabbed via the WAN (or red0) interface whereby the src or dst is always the red0 interface but the local IPs are hidden so it would be better to collect the local interfaces.

By the way thanks for your work on this awesome piece of software :-) .

Best,

Erik

ummeegge avatar Jan 31 '25 14:01 ummeegge

Supporting capture on multiple network interfaces per nDPId instance will take some time, as the core needs some changes to make this work. But all I can say, it's possible to do.

utoni avatar Feb 01 '25 10:02 utoni

Great news, thank you for looking into this.

Best,

Erik

ummeegge avatar Feb 01 '25 11:02 ummeegge