[Bro] Monitoring of intra virtual machines network traffic on same physical host

Pradyumna Joshi joshi.pradyumna at gmail.com
Mon Oct 19 09:43:26 PDT 2015


Thanks Aashish for the quick response.

Your response has provided one more option for me - to run workers on VM
instances and run manager on Host.

I was thinking of using multiple options and was not sure which one to go
for:

1) Using Daemonlogger <http://sourceforge.net/projects/daemonlogger/> for
capturing traffic from bridged interfaces and feeding this traffic to Bro.
2) Using OpenvSwitch <http://openvswitch.org/> to achieve bridge
functionality and feed it to Bro. From the docs, it is seen that OVSDB
<https://tools.ietf.org/html/rfc7047> supports full virtual switch
management functionality.

I wanted to know if anybody in Bro Community had implemented similar
solutions and wanted to know their experiences/feedback.

regards,
- Pradyumna Joshi



On Mon, Oct 19, 2015 at 12:53 PM, Aashish Sharma <asharma at lbl.gov> wrote:

> Hello
>
> (Let me think some more on this)
>
> Meanwhile a quick solution is to run bro instances as worker nodes on each
> of the VM's and then run manager on the host OS.
>
> I don't anticipate that you'd have such high volumes that bro workers will
> demand more CPU then your applications on the VM.
>
> However, this is a quick and somewhat in optimal solution.  Would
> certainly work but may be cheaper (in CPU) to do it a different way.
>
> Basically bro needs to see traffic to and from each of the interfaces in
> the VM.
>
> Let me see if you can tap out of bridged interfaces or if our network/tap
> experts have some other ideas or workaround for this.
>
> Aashish
>
> > On Oct 18, 2015, at 10:31 PM, Pradyumna Joshi <joshi.pradyumna at gmail.com>
> wrote:
> >
> > Is it possible to monitor network traffic between different Virtual
> machines on the same physical machine using Bro?
> >
> > Thanks.
> > Joshi Pradyumna
> > Computer Center,
> > Homi Bhabha National Institute,
> > Mumbai.
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Pradyumna Joshi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151019/dbc7b0c3/attachment.html 


More information about the Bro mailing list