[Bro] Question on Bro efficiency and bonded interfaces running async traffic

Espresso Beanies espressobeanies at gmail.com
Mon Mar 13 12:55:09 PDT 2017


I see.

Thanks Seth!

On Mon, Mar 13, 2017 at 3:46 PM, Seth Hall <seth at corelight.com> wrote:

>
> > On Mar 13, 2017, at 3:18 PM, Espresso Beanies <espressobeanies at gmail.com>
> wrote:
> >
> > My Bro setup has two hard links, each running uplink and downlink
> traffic separately. Would it be more efficient for Bro to define each hard
> link in the node.cfg or do a soft-bond that merges both hard links into a
> virtual interface, that channels into Bro?
>
> You will need to merge the interfaces.  You can’t monitor them separately
> because a Bro process needs to see both sides of a connection, but if you
> run with each interface on a different Bro process, each process will only
> see a single direction of traffic.
>
> If you merge/bond interfaces, it’s very possible that some of your
> connections will be messed up as well because there is no synchronization
> between how packets are received from  the separate interfaces and you
> could receive traffic out of order.  I typically recommend that people
> merge traffic in a switch (SPAN port) or through a packet broker because
> those will merge the packets from different interfaces correctly.
>
>   .Seth
>
> --
> Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170313/ebce5233/attachment.html 


More information about the Bro mailing list