I’m not sure this is a bug, which is why I didn’t post it on the tracker. In 2.1 one could do this in node.cfg:
interface=eth2 -i eth3
And bro would open both interfaces. In 2.2-beta-4 specifying two -i’s while manually running bro works, but trying to do the above with the “interface” specification doesn’t, giving this error:
fatal error: /usr/local/bro/bin/bro: problem with interface eth2 -i eth3 - pcap_open_live: eth2 -i eth3: No such device exists (SIOCGIFHWADDR: No such device)
Looks like it’s not parsing things the same way. In 2.2 will there be a new way to specify multiple interfaces?
If you’re using broctl add:
broargs = -i eth3
to your broctl.cfg
Heh, the previous behavior was technically a bug.
I guess I don't really know what to say, sniffing multiple interfaces was never something we actually supported when you run Bro with broctl and we continue not to support it. Generally we recommend merging multiple streams of traffic upstream of where Bro receives the packets.
What about with something like:
as long as those aren't half streams from a tap, that should work,
I’ll also bring up the case of using PF_RING with Bro…In that case it seems the way to do it is to use the PF_RING specific interface notation:
and then let the workers split up the stream as required. I seem to remember also having to modify a bash script in Bro (and having written to the list about it) in order to get this notation passed through properly…I suppose it’s time to see if this new version requires the same tweaking.
Thanks all for the replies. I'll try them all, starting with the easiest.
For the record, the interfaces are both half streams, so I don't think the
cluster method will work.
What about bonding/trunking interfaces on the host?
This makes me wonder if anyone has tried using linux containers to build cluster nodes… Anyone?