[Bro] Multiple Capture Interfaces

Alan J. Meeks alan.meeks at angelo.edu
Fri Jun 11 07:04:33 PDT 2010


Bill,

Thank you.  I had somehow missed that I could pass multiple interface arguments to broctl through the interface line in node.cfg that way.  I've modified the interface line and bro is now capturing on all four interfaces simultaneously.


From: William Jones [mailto:jones at tacc.utexas.edu]
Sent: Thursday, June 10, 2010 5:10 PM
To: Alan J. Meeks; 'bro at ICSI.Berkeley.EDU'
Subject: RE: Multiple Capture Interfaces

I run taps too and the use the following config perwork:

[worker-4]
#NLR
type=worker
host=homey1.tacc.utexas.edu
interface=eth4.3021 -i eth5.3021
aux_scripts=q1

The aux_scripts set up a filter so that worker only sees a portion of the ips space, in my cases ¼ per work per tap.

Bill Jones

From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Alan J. Meeks
Sent: Thursday, June 10, 2010 3:17 PM
To: 'bro at ICSI.Berkeley.EDU'
Subject: [Bro] Multiple Capture Interfaces

I am a new user of Bro.  I've installed ver 1.5.1 and I can run just fine with a single interface (whichever one is specified in node.cfg) but I can't seem to get other capture interfaces running.   I am set up with 4 ethernet interfaces, three of which are taps to different locations within my network and one to the local subnet where the server is located.

What additional information can I provide that might help identify the issue?


Alan Meeks
Information Security Analyst
Angelo State University
www.angelo.edu
325-942-2333 phone
325-942-2109 fax

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100611/c8391fa9/attachment.html 


More information about the Bro mailing list