<div dir="ltr"><div>There's a law that if you say pf_ring and af_packet 3 times, Michal shows up.</div><div><br></div><div>I don't see many (any?) reasons for using pf_ring, TBH, if you have a modern kernel or a decent network card (Mellanox, Intel, etc). And I still owe the community the article to show how to use the af_packet correctly :/</div><div><br></div><div>The case where one has inputs from multiple taps, to multiple network ports will be handled the same way by af_packet, if interfaces are bonded or bridged and by pf_ring. None of them buffers data and processes them at L4 and deals with out of order, etc.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 5, 2020 at 2:04 PM Scott Wang <<a href="mailto:scwang%2Bbro@sfu.ca">scwang+bro@sfu.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;"><font style="font-family:Calibri,Helvetica,sans-serif,serif,"EmojiFont"" size="3" color="black"><span style="font-size:12pt" dir="ltr" id="gmail-m_-4466948355366065611divtagdefaultwrapper"><div style="margin-top:0px;margin-bottom:0px">At
the Canarie workshop, Steve Smoot from Corelight suggested using
pf_ring still. Any thoughts/comments on switching to af_packet?
Advantages vs Disadvantages?</div>
<div style="margin-top:0px;margin-bottom:0px"><br>
</div>
<div style="margin-top:0px;margin-bottom:0px">Regards,</div>
<div style="margin-top:0px;margin-bottom:0px">Scott</div></span></font><div><br><blockquote type="cite"><div>On Feb 05, 2020, at 12:48, Justin Azoff <<a href="mailto:justin@corelight.com" target="_blank">justin@corelight.com</a>> wrote:</div><br><div><div dir="ltr">Hi!<div><br></div><div>It shouldn't be that hard to update to 3.x.. </div><div><br></div><div>- bro-pkg should be swapped out with the renamed zkg</div><div>- the python2 references can likely be changed to 3</div><div>- caf no longer needs to be installed separately</div><div>- geoip and databases needs to be swapped out with maxminddb versions, might need a license</div><div>- probably worth it to switch to af_packet from pf_ring.. pf_ring was only used initially to easily support capturing directly from both halves of a tap, which might not be a requirement anymore.<br></div><div><br></div><div>My schedule is a bit crazy for the next week, but once I have some time to work on it I should be able to get things updated pretty quickly.. There's really not much to it.</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 5, 2020 at 12:38 PM Paul Sibley <<a href="mailto:Paul.Sibley@canarie.ca" target="_blank">Paul.Sibley@canarie.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-CA"><div><p class="MsoNormal">Hello Zeek Community,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I am working on a project where Zeek has been deployed in two phases. During the first phase, some participants used “<a href="https://github.com/ncsa/bro-cluster-in-a-box-setup" target="_blank">https://github.com/ncsa/bro-cluster-in-a-box-setup</a>” script to assist in, and automate a lot of the installation process.<br><br>Since then we have entered the phase in our project where more participants have been added, CentOS 8 is preferred, and we are using Zeek 3.0.1.<br><br>I wonder if any consideration, or work has been done, in updating the bro-cluster-in-a-box script to work with the updated OS and Zeek version. Any information would be appreciated.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks in advance,<br><br>Paul Sibley<u></u><u></u></p></div></div>_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr">Justin</div></div>
_______________________________________________<br>Zeek mailing list<br><a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br><a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a><br></div></blockquote></div><br></div>_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>