<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Yah, that would definitely explain it. Libpcap is probably setting the file descriptor to something weird after trying to open ’zc:10’ and that’s causing Zeek to throw an error. I’ll see if we can make that a little more friendly.<div class=""><br class=""></div><div class="">I recently fixed the af_packet plugin to build correctly with Zeek 3.1 and the process is pretty simple. If you want to look at those changes as a roadmap, go for it. We should have a blog post coming out pretty soon on <a href="http://zeek.org" class="">zeek.org</a> about it. Otherwise I’ll add it to my list for next week.</div><div class=""><br class=""></div><div class="">Tim<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Feb 21, 2020, at 4:20 PM, Justin Azoff <<a href="mailto:justin@corelight.com" class="">justin@corelight.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div dir="ltr" class="">On Fri, Feb 21, 2020 at 4:36 PM Tim Thompson <<a href="mailto:tim@tsqrd.net" class="">tim@tsqrd.net</a>> wrote:<br class=""></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr" class=""><div class="">Example:<br class=""></div><div class="">zbalance_ipc -i zc:eth1 -n 1 -m 1 -c 10 -g 1 -a (creates zc:10@0)</div><div class=""><div class=""><br class=""></div><div class="">[root@server opt]# zeek -i zc:10@0<br class="">listening on zc:10@0<br class=""></div></div></div></blockquote><div class=""><br class=""></div><div class="">ah, you're using pf_ring through the libpcap wrapper and their wrapper is doing something weird. This problem should go away using <a href="https://github.com/ntop/bro-pf_ring" class="">https://github.com/ntop/bro-pf_ring</a> (and likely better performance too since you won't need the wrapper) </div><div class=""><br class=""></div><div class="">That package may need a few updates to the cmake bits to compile properly against zeek.. as well as the configure changes that make it possible to build plugins without the zeek source code.</div><div class=""><br class=""></div></div>-- <br class=""><div dir="ltr" class="gmail_signature"><div dir="ltr" class="">Justin</div></div></div>
_______________________________________________<br class="">Zeek mailing list<br class=""><a href="mailto:zeek@zeek.org" class="">zeek@zeek.org</a><br class="">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</div></blockquote></div><br class=""></div></body></html>