Github user dlyle65535 commented on the issue:
https://github.com/apache/incubator-metron/pull/176
I don't agree that using "any" works fine for either general or
demonstration/development purposes. If we don't sniff the same interface with
all the sensors, we get events that are uncorrelated with the rest of the
sensor stack. Additionally, we'll see events that have no pcap backup.
Kind of related - there is a a production use case for the tap0 interface.
You can direct all interfaces of interest to to the tap interface and sniff
that.
Is there any reason to not investigate making this work using the sniff
interface before falling back to "any"?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
