HOWTO : Making an active network TAP with OpenBSD 4.4

EasyIDS or Snort requires SPAN port or network TAP to capture the traffic from the outside or inside world. DIY network TAP is only for 10/100M traffic. If you are using gigabit network, you are required to buy a commerical TAP. However, you are very hardly to buy a network TAP in Hong Kong.

You got a good news that OpenBSD solves your problem. You can make a gigabit network TAP very easy with OpenBSD and 3 network interfaces. I suggest you to buy 2 identical chipset network cards and one with the other chipset. For example, I bought 2 pieces of Planet Realtek network card and one D-Link. The D-Link network card is for data flow capturing.

Step 1 :
Install OpenBSD 4.4 (the current version at the time of this writing) as is. The instruction can be found at the offical website The Realtek cards with the name of “re0” and “re1” while D-Link card is “sk0”. Give IP to “re0” as and “re1” as as well as “sk0” as Time server is not required.

Step 2 :
Log in as root. Issue the following commands :
ifconfig bridge0 create
brconfig bridge0 add re0 add re1 up
brconfig bridge0 addspan sk0

Step 3 :
Connect the ZeroShell and ISP/ADSL to the Planet cards of OpenBSD box. The network card with no IP of EasyIDS to the D-Link card.

That’s all.