[Bro] Monitoring of intra virtual machines network traffic on same physical host
asharma at lbl.gov
Mon Oct 19 10:43:11 PDT 2015
I think openswitch and port mirroring that Shane mentioned look like very promising options. Much better than clusterify the virtual machines.
While, I haven't run bro on VM systems, I would be very interested in the performance numbers, if any of you have those in future, please do share.
On Mon, Oct 19, 2015 at 10:13:26PM +0530, Pradyumna Joshi wrote:
> Thanks Aashish for the quick response.
> Your response has provided one more option for me - to run workers on VM
> instances and run manager on Host.
> I was thinking of using multiple options and was not sure which one to go
> 1) Using Daemonlogger for capturing traffic from bridged interfaces and
> feeding this traffic to Bro.
> 2) Using OpenvSwitch to achieve bridge functionality and feed it to Bro.
> From the docs, it is seen that OVSDB supports full virtual switch
> management functionality.
> I wanted to know if anybody in Bro Community had implemented similar
> solutions and wanted to know their experiences/feedback.
> - Pradyumna Joshi
> On Mon, Oct 19, 2015 at 12:53 PM, Aashish Sharma <asharma at lbl.gov> wrote:
> (Let me think some more on this)
> Meanwhile a quick solution is to run bro instances as worker nodes on each
> of the VM's and then run manager on the host OS.
> I don't anticipate that you'd have such high volumes that bro workers will
> demand more CPU then your applications on the VM.
> However, this is a quick and somewhat in optimal solution.Â Would
> certainly work but may be cheaper (in CPU) to do it a different way.
> Basically bro needs to see traffic to and from each of the interfaces in
> the VM.
> Let me see if you can tap out of bridged interfaces or if our network/tap
> experts have some other ideas or workaround for this.
> > On Oct 18, 2015, at 10:31 PM, Pradyumna Joshi
> <joshi.pradyumna at gmail.com> wrote:
> > Is it possible to monitor network traffic between different Virtual
> machines on the same physical machine using Bro?
> > Thanks.
> > Joshi Pradyumna
> > Computer Center,
> > Homi Bhabha National Institute,
> > Mumbai.
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Pradyumna Joshi
> 1. http://sourceforge.net/projects/daemonlogger/
> 2. http://openvswitch.org/
> 3. https://tools.ietf.org/html/rfc7047
> 4. mailto:asharma at lbl.gov
> 5. mailto:joshi.pradyumna at gmail.com
> 6. mailto:bro at bro-ids.org
> 7. http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Bro mailing list
> bro at bro-ids.org
More information about the Bro