[Bro] Network tap issues

Wed Jun 21 12:20:12 PDT 2017

Hi Mark,

As others have mentioned, the connection from the output of your tap to the
capture nic needs some attention.  Unlike a switch port, both sides of the
duplex output port are outputs (light comes out).  If you plug this into a
nic with a duplex fiber, you'll blast light into the internet <-> switch
link, which is definitely not going to do you any favors.

You'll have to split the capture side of the fiber pair, and plug the
single fiber into the RX port on the.  For now, leave the other end
dangling until you decide how to aggregate the two; this is just for testing.

A reminder to never look into the end of a fiber, or into a port, even if
you think it's off or shut down.  You can do some permanent damage to your
retinas, especially with LR optics, which use an invisible laser.  Been
there, done that, still got the scarring.  These days, I use the camera on
my cell phone, which has no direct optical path to the screen, plus it
picks up near infra-red wavelengths, used in LR optics.  Not that I suggest
using this technique; the proper tool for light-path diagnostics is a light
meter.

With that in mind, do the optics in the capture nic match the optics in the
switch behind the tap?  In most cases, an SR optic won't respond to LR
light and vice-versa.  The link led will come on if the interface is up
(ifconfig up) and the RX side receives properly-coded light of sufficient
brightness.  Thus, assuming the interface is up and the light-path is
otherwise good, you might have a mismatch, or a bad optic in the capture nic.

Good luck!

On 06/21/2017 07:07 AM, Daniel Manzo wrote:
> Thanks for the response! Unfortunately, we have tried that, but still no
> luck. I’m not sure what else could be wrong.
> 
>  
> 
> *From:*Mark Buchanan [mailto:mabuchan at gmail.com]
> *Sent:* Wednesday, June 21, 2017 9:46 AM
> *To:* Daniel Manzo
> *Subject:* Re: [Bro] Network tap issues
> 
>  
> 
> Flip both TX and RX around.   The tap is in "backwards" meaning the light
> is not flowing the right direction to hit the optical splitter and get to
> your sensor.  It as acting more as a "combiner", which could be bad if
> someone pushes light from your tap to the circuit.
> 
> --
> 
> Mark Buchanan
> 
> 
> On Jun 21, 2017, at 07:20, Daniel Manzo <daniel.manzo at bayer.com
> <mailto:daniel.manzo at bayer.com>> wrote:
> 
>     Hi all,
> 
>      
> 
>     I have Bro 2.5 configured on a RHEL 7.3 server and have a network tap
>     question, which I know isn’t totally Bro related, but I figured the Bro
>     community would be able to advise. The tap I have is a passive fiber
>     tap (OM3/4, 850mm, 50/50) enabled for up to 10Gb throughput. The
>     connection in port A is coming from Level 3 internet and the connection
>     in port B is going to a network switch. The monitor port is connected
>     to my Bro server. The problem is that I am seeing no traffic at all
>     coming from the monitor, and the light on the server NIC doesn’t even
>     light up. However, I am still able to access the internet from my
>     server, despite receiving no traffic from the monitor. Basically the
>     connection from A to B works, but the monitor is not mirroring traffic.
>     We have tested the tap before in other areas of our network, and it was
>     working, so I’m not sure why it is not working in this location. Any
>     and all help is appreciated!
> 
>      
> 
>     Thank you,
> 
>     Dan Manzo
> 
>      
> 
>     _______________________________________________
>     Bro mailing list
>     bro at bro-ids.org <mailto:bro at bro-ids.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 

-- 
Scott Sakai
Security Analyst
San Diego Supercomputer Center
ssakai at sdsc.edu
+1-858-822-0851