[Bro] Multi tap architecture

Michał Purzyński michalpurzynski1 at gmail.com
Thu Dec 28 21:25:09 PST 2017 

This might work with something that's light enough to capture and forward
traffic. I suggest doing it with netsniff-ng and copying traffic to some
kind of tunnel interface.

On Thu, Dec 28, 2017 at 7:59 AM, Johanna Amann <johanna at icir.org> wrote:

> Hi Pierre,
>
> just to recap if I understand everything correctly: you have low-powered
> boxes that you just want to capture traffic on, without analyzing the
> payload, because they are too low powered. And then you would like to do
> the protocol analysis on another machine.
>
> Bro itself does not support this scheme - parsing has to happen on the
> same instance that does the capturing. It sounds like you might want to
> use some other software that can just duplicate and forward interesting
> traffic to a more high-powered machine, where you can perform the actual
> analysis.
>
> I have never built a setup like this myself - but I suspect you might even
> be able to do this directly in Linux using onboard tools; create a
> tunneled interface that sends traffic to the destination that you want to
> send it to and mirror traffic to that interface - or something similar to
> this.
>
> Johanna
>
> On Sun, Nov 12, 2017 at 02:05:19PM +0100, bro-ml at razaborg.fr wrote:
> > Hi everyone,
> >
> > I'm looking to build a Bro architecture with several Tap components (I
> > mean the tcpdump stuff), all separated from the core.
> > I've seen the "cluster" architecture
> > (https://www.bro.org/sphinx/cluster/index.html), but as I said I want to
> > split out the capture work, not the protocol analysis stuff.
> >
> > My situation is the following : I have several "boxes" (with not enough
> > power to do the protocol analysis work, that's the point) in different
> > networks, all connected to one single "core" component. I would like to
> > deploy network capture (Tap) instances on all those boxes, and let the
> > core component do all the hard stuff (I can potentially install a
> > front-end on this core component to set up many "workers" behind it).
> >
> > Is there any way to do this ? Any documentation ? Does anyone have any
> > clue about how to set it up that way ?
> >
> > Thanks a lot,
> > Pierre
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171228/9819a71d/attachment.html

More information about the Bro mailing list