Deploying rocknsm in-line


since i could not find it documented as such a question on deploying rocknsm in-line (non-blocking).

With in-line i mean it listens to traffic using multiple span ports. On the rock instance deployed as a first experience, test there are 6 to 8 subnets to be monitored which for now it does quite well. But it is not in-line.

Is rock suitable to handle this kind of deployment ?



Hello Joris,

From an architectural perspective, in-line and listening to multiple span ports are different.

That said, the answer is yes; ROCK can receive multiple network feeds. This can be done through aggregation or multiple capture interfaces (or even multiple sensor components (Zeek, Suricata, Stenographer, Kafka, etc.) all feeding into a shared Elastic Stack - known as “multi-node deployment”).

Hey Andy,

Thanks. I do mean in-line, it has to be that rocknsm observes all traffic on the external to internal and internal to internal networks. This on both bridges and physical interfaces.

I have two setups running now. One as a POC in a VM clusters with 6 to 8 interfaces and one in a LAB environement with just two phyiscal interfaces but also a bunch of virtual network interfaces (tapXXX, vmbrX etc)

I’m learning as i go along but i prefer rocknsm over onion any time at this point. I hope to be able to contribute where i can in the future.

Best Regards,