<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ES" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Hi Justin and Raphael,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Very good point and very interesting issue. Some questions….<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">What does exactly do bro-pf_ring?
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">What does “best results” mean? <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Is it mandatory to use bro + pf_ring?
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">If not what features are added?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Thanks in advance,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Xavier Gonzalez<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica;color:black">CTO & Co-founder</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica;color:black"><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__opencloudfactory.com_&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=-eQ9-r22Kp9xiDrpGjPtHV9AfU7tpjiF3EVDFkpQTm8&e=" title="https://urldefense.proofpoint.com/v2/url?u=http-3A__opencloudfactory.com_&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=-eQ9-r22Kp9xiDrpGjPtHV9AfU7tpjiF3EVDFkpQTm8&e="><span style="color:#600060">http://opennac.org</span></a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica;color:black"><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__opencloudfactory.com_&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=-eQ9-r22Kp9xiDrpGjPtHV9AfU7tpjiF3EVDFkpQTm8&e=" title="https://urldefense.proofpoint.com/v2/url?u=http-3A__opencloudfactory.com_&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=-eQ9-r22Kp9xiDrpGjPtHV9AfU7tpjiF3EVDFkpQTm8&e="><span lang="EN-US" style="color:#600060">http://opencloudfactory.com</span></a></span><span lang="EN-US" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica;color:black">follow us: </span><span style="font-size:9.0pt;font-family:Helvetica;color:black"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_opennac&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=Ue3qSgS7Wi6D-MiqHN_1d9FvO2A8XphTHeO9wdDIWwI&e="><span lang="EN-US" style="color:#600060">@opennac</span></a></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica;color:black"> </span><span style="font-size:9.0pt;font-family:Helvetica;color:black"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_viapps&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=8TMKueanTMJrW8fDMeZ89hkHjOkTQAJTL0hWy8A9rN0&e="><span lang="EN-US" style="color:#600060">@viapps</span></a></span><span lang="EN-US" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"> <o:p></o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:12.0pt;color:black">From:
</span></b><span lang="EN-US" style="font-size:12.0pt;color:black">"zeek-bounces@zeek.org" <zeek-bounces@zeek.org> on behalf of Justin Azoff <justin@corelight.com><br>
<b>Date: </b>Tuesday, 3 September 2019 at 03:48<br>
<b>To: </b>Raphael Shin <hkshin98@gmail.com><br>
<b>Cc: </b>zeek <zeek@zeek.org><br>
<b>Subject: </b>Re: [Zeek] How to configure multiple interfaces<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal">Install <a href="https://github.com/ntop/bro-pf_ring">https://github.com/ntop/bro-pf_ring</a> in general for best results.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Use<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">interface=pf_ring::p1p1,p1p2<o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Mon, Sep 2, 2019 at 9:32 PM Raphael Shin <<a href="mailto:hkshin98@gmail.com">hkshin98@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal">Hi, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I am installing Bro on Redhat OS.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My Bro machine has two interfaces.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - Interface#1(p1p1) : Server farm <b>inbound</b> traffic<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - Interface#2(p1p2) : Server farm <b>outbound</b> traffic<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I configured two interfaces with pf_ring.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">node.cfg file is as follows.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">----------------------------<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[logger]<br>
type=logger<br>
host=localhost<br>
<br>
[manager]<br>
type=manager<br>
host=localhost<br>
<br>
[proxy-1]<br>
type=proxy<br>
host=localhost<br>
<br>
[worker-1]<br>
type=worker<br>
host=localhost<br>
interface=<b>p1p1</b><br>
lb_method=pf_ring<br>
lb_procs=2<br>
pin_cpus=8,9<br>
<br>
[worker-2]<br>
type=worker<br>
host=localhost<br>
interface=<b>p1p2</b><br>
lb_method=pf_ring<br>
lb_procs=2<br>
pin_cpus=10,11<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">---------------------------- <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">but, I had wrong connection information.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Most conn_state is SH or SHR in the conn.log file.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">How can I configure the node.cfg file?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Raphael<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Justin<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>