[Bro] data_before_established, possible_split_routing
Johanna Amann
johanna at icir.org
Tue May 30 10:06:02 PDT 2017
On Thu, May 11, 2017 at 10:36:00AM -0400, erik clark wrote:
> We are experiencing these in significant quantity since we moved traffic
> from one site to another. Is there any sort of way to bond this data so
> that bro wont gut the connections? This is leading to a massive 70% packet
> loss on the sensor.
Just to give a short answer for this - as you probably are aware, Bro
expects the packets to arrive in the correct order on the interfaces it
uses for monitoring. If you have access to several fibers that contain
parts of the full traffic, I think there are network cards/switches that
can merge them back together.
Johanna
More information about the Bro
mailing list