node.cfg multiple interface convention?

Chris_Harwood · September 29, 2016, 7:10pm

Hi all,

One of my installations runs on an old linux laptop monitoring wifi traffic exclusively in standalone.

I’m wondering what the convention is for node.cfg to add monitoring to the wired interface as well.

The use case is, the system is taken off the wifi and restarted at a second location for monitoring a wired connection.

Is the following node.cfg valid?

[bro]
type=standalone
host=localhost
interface=wlan0
interface=eth0

Or is a better configuration to use 2 workers, one for each interface?

Thanks in advance,

Chris

johanna · September 30, 2016, 9:05pm

Hello Chris,

no, the given node.cfg is not valid, you can only specify one interface
for a standalone node. The best solution would probably be to use 2
workers, one for each interface. There is a workaround that should still
work, where you give the interface as "wlan0 -i eth0", (see
https://bro-tracker.atlassian.net/browse/BIT-12), which I think still
works, but that might break anytime.

Johanna

Topic		Replies	Views
multiple interfaces using PFRing Zeek	1	73	May 6, 2022
Bro Digest, Vol 152, Issue 15 Zeek	1	54	May 6, 2022
First attempt to upgrade to 3: Multiple interfaces Zeek	11	94	May 6, 2022
capstats doesnt work with af_packet Zeek	4	64	May 6, 2022
Using af_packet in a host with two nics Zeek	12	261	May 6, 2022

node.cfg multiple interface convention?

Related Topics