Request to developers of if_bridge.ko - ETHER_BPF_MTAP vs BPF_MTAP

[elof2 at sentor.se]

Back in FreeBSD 6.3 and 6.4 there was a bpf-bug in if_bridge.c.
This bug was sometimes a nice feature though, since it "normalised" the 
traffic sent to bpf, making it easier to sniff, analyse and debug the 
mirrored traffic.


My request is for the possibility to have "packet normalisation" turned on 
based on a sysctl flag.



Scenario:
I create a bridge0 interface using one or multiple parent NICs. Then I 
sniff traffic on this cloned NIC (tcpdump -nli bridge0 port 80).

Benefit:
Multiple NICs are bonded together and can easily be sniffed on ONE 
interface with ONE sniffer process.

Drawback:
The problem is that if the sniffer use a bpf filter like "port 80", and 
the mirrored traffic consist of a mix of untagged and vlan tagged 
(802.1q) packets, only the untagged packets will match. To see if there 
are any www-traffic in the mirrored vlans, one need to change the filter 
to "vlan and port 80", but then you loose the untagged lan. ...catch 22.


The bug (feature) in sys/net/if_bridge.c prior to revision 186365
(http://svn.freebsd.org/viewvc/base?view=revision&revision=186365) was 
that if_bridge sent a copy of a packet to bpf using BPF_MTAP instead of 
using ETHER_BPF_MTAP.
The result was that the sniffer got a copy of packets that had their vlan 
header (tag) stripped off.

In the patched version, the full frame is mirrored to bpf. While this is 
correct, I'd like the possibility to override and see stripped packets 
instead.



Having a function that simply strips off any vlan tags from tagged packets 
is wonderful when it comes to sniffing. Especially since switches from all 
brands behave differently when it comes to SPAN and vlan tags (a SYN 
could be mirrorred untagged while the corresponding SYN+ACK is mirrored 
with a vlan tag set). It is also quite common that net admins configure 
uplink ports with multiple vlans AND an untagged lan. When you SPAN this 
uplink you get both tagged and untagged traffic in a mix.

By normalising the mirrored traffic sent to bpf, a network technician can 
more easily perform his network debugging. Also, there are less risk of 
human mistakes due to the lack of insight that he need to use the 
'vlan' keyword in his tcpdump/tshark/ngrep/whatever to see the full scope 
of the traffic. Also state-keeping tools like snort and argus benefit from 
normalised traffic since they cann't build a correct state table if the 
SYN and SYN+ACK belong to two different vlans.


My request is that if a sysctl variable (like 
net.link.bridge.bpf.strip_header) equals true, then if_bridge.ko will pass 
stripped (BPF_MTAP) packets to bpf. By default it should naturally pass 
the entire frame (ETHER_BPF_MTAP).


I know that passing stripped packets to bpf could be seen as ugly and 
bad, but compared to some of the problems a mixed environment can cause, I 
think that the possibility to manually override the default would be very
useful. (in fact I know it, since I relied on the bug during the FreeBSD 
6.3-6.4 period)


There are only four places in if_bridge.c that need to be updated to 
something like this:
if (net.link.bridge.bpf.strip_header == 1)
   BPF_MTAP(bifp, m);
else
   ETHER_BPF_MTAP(bifp, m);


The question is if other people besides myself see the benefits?
Could we have this feature added to FreeBSD base?
What are your thoughts?

/Elof