[Bro] Monitoring of intra virtual machines network traffic on same physical host
Mike Dopheide
dopheide at gmail.com
Mon Oct 19 10:34:16 PDT 2015
Adding a little to this, we just started playing with running Bro on a VM
to monitor VM-to-VM traffic on a HP bladesystem running VMWare using the
port mirroring that Shane mentioned. It's going well enough that I'm
considering deploying it on all the other bladesystems as well.
Actually, we're using it as a monitoring point for VM to non-VM traffic as
well since it sees everything coming in-out of the chassis as well.
-Dop
On Mon, Oct 19, 2015 at 11:43 AM, Pradyumna Joshi <joshi.pradyumna at gmail.com
> wrote:
> Thanks Aashish for the quick response.
>
> Your response has provided one more option for me - to run workers on VM
> instances and run manager on Host.
>
> I was thinking of using multiple options and was not sure which one to go
> for:
>
> 1) Using Daemonlogger <http://sourceforge.net/projects/daemonlogger/> for
> capturing traffic from bridged interfaces and feeding this traffic to Bro.
> 2) Using OpenvSwitch <http://openvswitch.org/> to achieve bridge
> functionality and feed it to Bro. From the docs, it is seen that OVSDB
> <https://tools.ietf.org/html/rfc7047> supports full virtual switch
> management functionality.
>
> I wanted to know if anybody in Bro Community had implemented similar
> solutions and wanted to know their experiences/feedback.
>
> regards,
> - Pradyumna Joshi
>
>
>
> On Mon, Oct 19, 2015 at 12:53 PM, Aashish Sharma <asharma at lbl.gov> wrote:
>
>> Hello
>>
>> (Let me think some more on this)
>>
>> Meanwhile a quick solution is to run bro instances as worker nodes on
>> each of the VM's and then run manager on the host OS.
>>
>> I don't anticipate that you'd have such high volumes that bro workers
>> will demand more CPU then your applications on the VM.
>>
>> However, this is a quick and somewhat in optimal solution. Would
>> certainly work but may be cheaper (in CPU) to do it a different way.
>>
>> Basically bro needs to see traffic to and from each of the interfaces in
>> the VM.
>>
>> Let me see if you can tap out of bridged interfaces or if our network/tap
>> experts have some other ideas or workaround for this.
>>
>> Aashish
>>
>>
>> > On Oct 18, 2015, at 10:31 PM, Pradyumna Joshi <
>> joshi.pradyumna at gmail.com> wrote:
>> >
>> > Is it possible to monitor network traffic between different Virtual
>> machines on the same physical machine using Bro?
>> >
>> > Thanks.
>> > Joshi Pradyumna
>> > Computer Center,
>> > Homi Bhabha National Institute,
>> > Mumbai.
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> --
> Pradyumna Joshi
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151019/2e00addd/attachment.html
More information about the Bro
mailing list