[Bro] Multi tap architecture

bro-ml at razaborg.fr bro-ml at razaborg.fr
Sun Nov 12 05:05:19 PST 2017

Hi everyone,

I'm looking to build a Bro architecture with several Tap components (I
mean the tcpdump stuff), all separated from the core.
I've seen the "cluster" architecture
(https://www.bro.org/sphinx/cluster/index.html), but as I said I want to
split out the capture work, not the protocol analysis stuff.

My situation is the following : I have several "boxes" (with not enough
power to do the protocol analysis work, that's the point) in different
networks, all connected to one single "core" component. I would like to
deploy network capture (Tap) instances on all those boxes, and let the
core component do all the hard stuff (I can potentially install a
front-end on this core component to set up many "workers" behind it).

Is there any way to do this ? Any documentation ? Does anyone have any
clue about how to set it up that way ?

Thanks a lot,

More information about the Bro mailing list