[Bro] Bro 2.1 support for sniffing on multiple interfaces faces

Doug Burks doug.burks at gmail.com
Tue Apr 29 04:16:40 PDT 2014

I think type=standalone only supports one interface.  Have you tried
replacing the standalone config with a clustered config?

On Tue, Apr 29, 2014 at 7:08 AM, Coen Bakkers <coen_bakkers at symantec.com> wrote:
> Hi Doug,
> I am not using PF_RING, for now we have
> [bro]
> type=standalone
> host=localhost
> interface=eth0
> interface=eth1
> interface=eth2
> interface=eth3
> interface=eth5
> interface=eth6
> Where I am noticing that when leaving all of these interfaces enabled it may or may not break its working for some reason. When I switched to a single interface it started working but the configuration one of the nodes with above settings seems to works though and I have no clue why.
> Regards,
> Coen
> -----Original Message-----
> From: Doug Burks [mailto:doug.burks at gmail.com]
> Sent: Dienstag, 29. April 2014 13:03
> To: Coen Bakkers
> Cc: bro at bro.org
> Subject: Re: [Bro] Bro 2.1 support for sniffing on multiple interfaces faces
> Hi Coen,
> Are you perhaps using PF_RING?
> https://bro-tracker.atlassian.net/browse/BIT-943
> The PF_RING multiple interface issue was resolved in Bro 2.2.
> On Tue, Apr 29, 2014 at 6:46 AM, Coen Bakkers <coen_bakkers at symantec.com> wrote:
>> Does Bro 2.1 support sniffing on several interfaces at the same time? I have tried this now on a dozen of nodes, and the behavior does not seem to be consistent.
>> Note that I am not trying to sniff an outbound and an inbound stream that are related, but I have a tap port on a separate network that I also interested in in covering.
>> Sometimes multiple interfaces in node.cfg will work, but sometimes it makes Bro just hang and not record any of the http, dns, ftp logs etc..
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> --
> Doug Burks

Doug Burks

More information about the Bro mailing list