[Bro] Checking symmetric traffic using bro

Johanna Amann johanna at icir.org
Tue Apr 25 07:57:16 PDT 2017 

Without looking at the document, usually the easy way to tell if traffic
is symmetric is to check if connection history in conn.log has a lot of
lines that are all capitalized or all non-capitalized (which shows that a
sensor only received one side of the connections). This can be combined
with the script that you mentioned earlier if you are running in cluster
mode.

Johanna

On Mon, Apr 24, 2017 at 04:57:15PM +0000, Zhi-Wei Lu wrote:
> Hi Justin,
> 
> We will essentially use a setup like the following
> https://www.arista.com/assets/data/pdf/Whitepapers/palo_alto_networks_and_arista.pdf
> 
> We are wondering what tools (bro?) we can use to show that traffic send to each PA-5060 (or whatever IPS tools) from Arista switches are symmetric.
> 
> Thank you.
> 
> Zhi-Wei Lu
> IET-CR-Network Operations Center
> University of California, Davis
> (530) 752-0155
> 
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Zhi-Wei Lu
> Sent: Friday, April 21, 2017 8:16 PM
> To: Azoff, Justin S <jazoff at illinois.edu>
> Cc: bro at bro.org
> Subject: Re: [Bro] Checking symmetric traffic using bro
> 
> 
> Thank you Justin,
> 
> 
> 
> In our test, the Arista split traffic into two streams, our one bro server analyze only one stream data.
> 
> 
> Zhi-Wei Lu
> 
> IET-CR-Network Operations Center
> University of California, Davis
> (530) 752-0155
> ________________________________
> From: Azoff, Justin S <jazoff at illinois.edu<mailto:jazoff at illinois.edu>>
> Sent: Friday, April 21, 2017 7:11:39 PM
> To: Zhi-Wei Lu
> Cc: bro at bro.org<mailto:bro at bro.org>
> Subject: Re: [Bro] Checking symmetric traffic using bro
> 
> 
> > On Apr 21, 2017, at 7:32 PM, Zhi-Wei Lu <zwlu at ucdavis.edu<mailto:zwlu at ucdavis.edu>> wrote:
> >
> > Hi Bro experts,
> >
> > We are newbie of bro and  are in the process of testing a bro setup using Arista 7150 to split traffic using symmetric hashing, sending them to bro cluster. Could bro tell how well the symmetric hashing mechanism is working? What log files/stats shall we look at to discern this information?
> >
> > Justin at bro IRC channel suggested this script
> > https://gist.github.com/JustinAzoff/446d0abba2c6dd8ff242#file-conn-peer-bro
> >
> > This adds peer (worker-x-y) information at the end of conn.log lines, in our case, we have a single bro server with 10 bro workers running on it, this would tell how well bro divide the traffic it received and send to individual workers, is that right?
> >
> > What I am interested in is whether the Arista 7150 split traffic properly so that bro downstream could tell how well or bad traffic was split on Arista?  Is that possible?
> >
> > Thank you very much and have a nice weekend.
> 
> I'm a bit confused.. if you only have a single server the switch isn't splitting the traffic at all.  Symmetric hashing is only relevant if you have more than one server.
> 
> For what it's worth, Arista switches in tapagg mode handle symmetric hashing perfectly.
> 
> 
> --
> - Justin Azoff

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list