Hi guys,
I’m trying to deploy Bro Cluster using Docker container technology for my master’s research project on Network Function Virtualization.
The objective is to use pf_send and replay a pcap file obtained from http://download.netresec.com/pcap/smia-2011/SMIA_2011-10-12_07%253A41%253A40_CEST_606532000_file2.pcap.
I configured PF_RING and created 5 containers as workers.
I guess here I’m violating what is cited in : https://www.bro.org/sphinx/cluster/index.html
The PF_RING software for Linux has a “clustering” feature which will do flow-based load balancing across a number of processes that are sniffing the same interface". What I mean here is each container has it’s own interface and the workers are not listening on the same interface,so am I right or should I deploy the whole Bro Cluster just on one container ? I will appreciate any comment and guidance.
Best regards.
Aziz
MSc Sécurité, Réseaux et e-Santé
Université Paris Descartes