I am a new user of Bro. I’ve installed ver 1.5.1 and I can run just fine with a single interface (whichever one is specified in node.cfg) but I can’t seem to get other capture interfaces running. I am set up with 4 ethernet interfaces, three of which are taps to different locations within my network and one to the local subnet where the server is located.
What additional information can I provide that might help identify the issue?
I believe I installed in a non-clustered or standalone mode. Ran the ./configure, make and make install after ensuring I got all the prereqs on the server.
I also forgot to mention I was not in the position where I could pick and choose my hardware and could not get BSD installed. I had to fall back to CentOS 5.5.
Well, I've tried the command line switch -i to specify multiple interfaces by starting bro with "bro -i eth0 -i eth1" and so on but when I try to start bro with that way it will not start. The command will hang and bro won't start. I can start bro through ./broctl but can't pass it the interfaces as parameters that way.
Thank you. I had somehow missed that I could pass multiple interface arguments to broctl through the interface line in node.cfg that way. I’ve modified the interface line and bro is now capturing on all four interfaces simultaneously.
Unfortunately, the reason it's undocumented is because (while it does work) it's not a recommended solution because it breaks several other features in broctl.
Better ways to accomplish the same thing are to..
1. Bridge your interfaces together in your operating system to present a single interface to Bro.
2. Run Bro as a cluster where each worker node runs on the same box but sniff different interfaces.