[Zeek] Zeek + PF_Ring Issue

Justin Azoff justin at corelight.com
Wed Dec 18 13:29:37 PST 2019 

Can you run bro-doctor:
https://packages.bro.org/packages/view/1251f948-f435-11e9-9321-0a645a3f3086
(works
with zeek, just didn't change the name).  that will likely tell you what is
wrong.  You're probably not actually using pf_ring and should use the
native plugin and not the pcap wrapper.

On Wed, Dec 18, 2019 at 5:31 AM Jorge García Rodríguez <
JorgeGarcia.1995 at outlook.es> wrote:

> Hi Zeekers!
>
> I need to resolve a problem attached to Zeek when its configured to work
> with PF_Ring.
>
> The thing is that we receive between 1.0 and 2.5 GB/s in a fiber
> interface. Also when we lauch the command "Zeekctl top" to check the Cpu
> usage and the traffic managed in each worker, we see that the sum of the
> traffic of all workers is greater than the traffic we receive through the
> interface.
>
> This makes me think that we have something badly configured in PF_Ring or
> somehow Zeek is generating some kind of loop.
>
> For example, receiving 2Gb/s, i execute "Zeekctl top" and the result is
> the next one:
>
> Name         Type    Host             Pid     VSize  Rss  Cpu   Cmd
> logger       logger  localhost        11474     3G   118M  50%  zeek
> manager      manager localhost        11520   589M    98M  25%  zeek
> proxy-1      proxy   localhost        11565   610M   113M  18%  zeek
> worker-1-1   worker  localhost        11693     1G   570M  62%  zeek
> worker-1-2   worker  localhost        11701     1G   574M  62%  zeek
> worker-1-3   worker  localhost        11711     1G   573M  68%  zeek
> worker-1-4   worker  localhost        11713     1G   572M  50%  zeek
> worker-1-5   worker  localhost        11718     3G     2G 106%  zeek
> worker-1-6   worker  localhost        11719     1G   567M  62%  zeek
> worker-1-7   worker  localhost        11726     1G   579M  68%  zeek
> worker-1-8   worker  localhost        11732     1G   575M  56%  zeek
> worker-1-9   worker  localhost        11733     1G   571M  68%  zeek
> worker-1-10  worker  localhost        11735     1G   558M  62%  zeek
>
> Hope someone of you can help me to resolve this.
>
> Really thank you.
>
> Best Regards!
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191218/17ad11cc/attachment.html

More information about the Zeek mailing list