[Bro] Question on Bro efficiency and bonded interfaces running async traffic
Espresso Beanies
espressobeanies at gmail.com
Mon Mar 13 12:55:09 PDT 2017
I see.
Thanks Seth!
On Mon, Mar 13, 2017 at 3:46 PM, Seth Hall <seth at corelight.com> wrote:
>
> > On Mar 13, 2017, at 3:18 PM, Espresso Beanies <espressobeanies at gmail.com>
> wrote:
> >
> > My Bro setup has two hard links, each running uplink and downlink
> traffic separately. Would it be more efficient for Bro to define each hard
> link in the node.cfg or do a soft-bond that merges both hard links into a
> virtual interface, that channels into Bro?
>
> You will need to merge the interfaces. You can’t monitor them separately
> because a Bro process needs to see both sides of a connection, but if you
> run with each interface on a different Bro process, each process will only
> see a single direction of traffic.
>
> If you merge/bond interfaces, it’s very possible that some of your
> connections will be messed up as well because there is no synchronization
> between how packets are received from the separate interfaces and you
> could receive traffic out of order. I typically recommend that people
> merge traffic in a switch (SPAN port) or through a packet broker because
> those will merge the packets from different interfaces correctly.
>
> .Seth
>
> --
> Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170313/ebce5233/attachment.html
More information about the Bro
mailing list