Does Bro 2.1 support sniffing on several interfaces at the same time? I have tried this now on a dozen of nodes, and the behavior does not seem to be consistent.
Note that I am not trying to sniff an outbound and an inbound stream that are related, but I have a tap port on a separate network that I also interested in in covering.
Sometimes multiple interfaces in node.cfg will work, but sometimes it makes Bro just hang and not record any of the http, dns, ftp logs etc..
Hi Coen,
Are you perhaps using PF_RING?
https://bro-tracker.atlassian.net/browse/BIT-943
The PF_RING multiple interface issue was resolved in Bro 2.2.
I have had great success with starting bro with:
bro -i eth0 -i eth1
I am not using broctl.
James
Hi Doug,
I am not using PF_RING, for now we have
[bro]
type=standalone
host=localhost
interface=eth0
interface=eth1
interface=eth2
interface=eth3
interface=eth5
interface=eth6
Where I am noticing that when leaving all of these interfaces enabled it may or may not break its working for some reason. When I switched to a single interface it started working but the configuration one of the nodes with above settings seems to works though and I have no clue why.
Regards,
Coen
I think type=standalone only supports one interface. Have you tried
replacing the standalone config with a clustered config?
https://github.com/bro/broctl/blob/master/etc/node.cfg