Question on Bro efficiency and bonded interfaces running async traffic

My Bro setup has two hard links, each running uplink and downlink traffic separately. Would it be more efficient for Bro to define each hard link in the node.cfg or do a soft-bond that merges both hard links into a virtual interface, that channels into Bro?

You will need to merge the interfaces. You can’t monitor them separately because a Bro process needs to see both sides of a connection, but if you run with each interface on a different Bro process, each process will only see a single direction of traffic.

If you merge/bond interfaces, it’s very possible that some of your connections will be messed up as well because there is no synchronization between how packets are received from the separate interfaces and you could receive traffic out of order. I typically recommend that people merge traffic in a switch (SPAN port) or through a packet broker because those will merge the packets from different interfaces correctly.

  .Seth

I see.

Thanks Seth!