Monitor interface not picking up #773
-
|
In Malcolm, I defined a Management Interface and a Capture Interface using the configuration script. Now I want to add an extra Capture Interface. I did this using the configuration script. I cannot see traffic on the extra interface in Malcolm. I can see it on the original interface, but not on the extra interface. If I switch the cables, I can see it coming in on the originally defined interface. Do I need to reconfigure something within Malcolm for it to pick that up? Or are there additional settings I need to check somewhere? Or what is the procedure, apart from running the configuration again? And restarting the entire VM. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
If you don't want to restart the entire VM, you can just edit There are several containers involved in capture, though, so you'd either want to restart Malcolm to pick up that new variable value ( |
Beta Was this translation helpful? Give feedback.
-
|
This worked.
|
Beta Was this translation helpful? Give feedback.
If you don't want to restart the entire VM, you can just edit
./config/pcap-capture.envunder the Malcolm installation directory and set thePCAP_IFACEvariable to a comma-separated list of interfaces (e.g.,PCAP_IFACE=eth0orPCAP_IFACE=enp1s0,enp2s0).There are several containers involved in capture, though, so you'd either want to restart Malcolm to pick up that new variable value (
./scripts/restart) or you can restart just the affected services (./scripts/restart -s arkime-live suricata-live zeek-live pcap-capture).