[Bro] Monitoring of intra virtual machines network traffic on same physical host

Aashish Sharma asharma at lbl.gov
Mon Oct 19 10:43:11 PDT 2015 

I think openswitch and port mirroring that Shane mentioned look like very promising options. Much better than clusterify the virtual machines. 

While, I haven't run bro on VM systems, I would be very interested in the performance numbers, if any of you have those in future, please do share. 

Thanks, 
Aashish 

On Mon, Oct 19, 2015 at 10:13:26PM +0530, Pradyumna Joshi wrote:
> 
>    Thanks Aashish for the quick response.
>    Your response has provided one more option for me - to run workers on VM
>    instances and run manager on Host.
>    I was thinking of using multiple options and was not sure which one to go
>    for:
>    1) Using [1]Daemonlogger for capturing traffic from bridged interfaces and
>    feeding this traffic to Bro.
>    2) Using [2]OpenvSwitch to achieve bridge functionality and feed it to Bro.
>    From  the  docs, it is seen that [3]OVSDB supports full virtual switch
>    management functionality.
>    I  wanted  to know if anybody in Bro Community had implemented similar
>    solutions and wanted to know their experiences/feedback.
>    regards,
>    - Pradyumna Joshi
>    Â
> 
>    On Mon, Oct 19, 2015 at 12:53 PM, Aashish Sharma <[4]asharma at lbl.gov> wrote:
> 
>      Hello
>      (Let me think some more on this)
>      Meanwhile a quick solution is to run bro instances as worker nodes on each
>      of the VM's and then run manager on the host OS.
>      I don't anticipate that you'd have such high volumes that bro workers will
>      demand more CPU then your applications on the VM.
>      However,  this is a quick and somewhat in optimal solution.  Would
>      certainly work but may be cheaper (in CPU) to do it a different way.
>      Basically bro needs to see traffic to and from each of the interfaces in
>      the VM.
>      Let me see if you can tap out of bridged interfaces or if our network/tap
>      experts have some other ideas or workaround for this.
>      Aashish
> 
>    >    On    Oct    18,    2015,    at   10:31   PM,   Pradyumna   Joshi
>    <[5]joshi.pradyumna at gmail.com> wrote:
>    >
>    >  Is it possible to monitor network traffic between different Virtual
>    machines on the same physical machine using Bro?
>    >
>    > Thanks.
>    > Joshi Pradyumna
>    > Computer Center,
>    > Homi Bhabha National Institute,
>    > Mumbai.
> 
>      > _______________________________________________
>      > Bro mailing list
>      > [6]bro at bro-ids.org
>      > [7]http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
>    --
>    Pradyumna Joshi
> 
> References
> 
>    1. http://sourceforge.net/projects/daemonlogger/
>    2. http://openvswitch.org/
>    3. https://tools.ietf.org/html/rfc7047
>    4. mailto:asharma at lbl.gov
>    5. mailto:joshi.pradyumna at gmail.com
>    6. mailto:bro at bro-ids.org
>    7. http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list