[Bro] Tap configuration

Daniel Manzo daniel.manzo at bayer.com
Fri Jan 13 05:58:25 PST 2017 

I have tried disabling checksum offloading, but still no luck. Here is the ifcfg file for my eth interface:

DEVICE=eth12
ONBOOT=yes
BOOTPROTO=static
PROMISC=yes
USERCTL=no

Freundliche Grüße / Best regards,

Dan Manzo
Asst Analyst I
________________________

Bayer: Science For A Better Life

Bayer U.S. LLC
Country Platform US
Scientific Computing Competence Ctr
Bayer Road
15205 Pittsburgh (PA), United States
Tel:                        +1 412 7772171
Mobile:                +1 412 5258332
E-mail:  daniel.manzo at bayer.com

From: Neslog [mailto:neslog at gmail.com]
Sent: Thursday, January 12, 2017 4:59 PM
To: Hosom, Stephen M
Cc: Bro-IDS; Daniel Manzo
Subject: Re: [Bro] Tap configuration

I've had success disabling checksum.
ignore_checksums


On Jan 12, 2017 2:24 PM, "Hosom, Stephen M" <hosom at battelle.org<mailto:hosom at battelle.org>> wrote:
Have you looked into checksum offloading? If enabled, it can result in Bro not producing many of the logs you would expect.

From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org<mailto:bro-bounces at bro.org>] On Behalf Of Daniel Manzo
Sent: Thursday, January 12, 2017 11:05 AM
To: bro at bro.org<mailto:bro at bro.org>
Subject: [Bro] Tap configuration

Hi all,

I have Bro 2.4 configured on a RHEL 6.8 server and was wondering how to properly configure the network interfaces so that Bro can see as much of the network traffic as possible. My tap is connected in line with the network, and I believe that I was previously seeing the correct traffic, but now Bro has reporting much less information. I want to make sure that I have the interfaces configured correctly before moving on to troubleshooting other areas. Currently, I have two eth interfaces set up in PROMISC mode. Thank you for the help

Best regards,
Dan Manzo


_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170113/a9fe2c29/attachment.html

More information about the Bro mailing list