BRO sniffing traffic on a VLAN

Dear ALL,

I have plugged BRO in my lab in the mirrored port of a physical switch. Thus BRO is able to sniff all the traffic.

My question is that if we install BRO on a simple linux machine and try sniffing a LAN traffic for analysis for example, do we need some special measure? I mean is it necessary that BRO should be plugged in the mirrored port…


Hi Masoom,

Bro will still see some traffic (traffic destined to the bro box, ARP, broadcast, potential port floods) but not other traffic.