[Zeek] Zeek + PF_Ring Issue

Jorge García Rodríguez JorgeGarcia.1995 at outlook.es
Thu Dec 19 04:16:24 PST 2019 

I have ran bro-doctor as you said and certainly I saw interesting things, for example:


###################################################################
# Checking if connections are unevenly distributed across workers #
###################################################################
error: The distribution of connections across workers seems uneven:
worker-1-5:     462 connections
worker-1-4:     890 connections
worker-1-7:     874 connections
worker-1-6:     4122 connections
worker-1-1:     432 connections
worker-1-3:     930 connections
worker-1-2:     907 connections
worker-1-9:     451 connections
worker-1-8:     435 connections
worker-1-10:    497 connections


###############################################################################################################################
# Checking if anything is in the deprecated local-logger.bro, local-manager.bro, local-proxy.bro, or local-worker.bro scripts #
###############################################################################################################################
Nothing found


######################################################################
# Checking if any recent connections have been logged multiple times #
######################################################################
ok, only 0.00%, 0 out of 2429 connections appear to be duplicate


##################################
# Checking pf_ring configuration #
##################################
configured to use pf_ring=True pcap=True plugin=False
###############################################################################################################################

Let me know what do you think about the report.

I have checked about the PF_Ring plugin but it gives me an error, im not sure if im following the last update of this plugin.
https://github.com/ntop/bro-pf_ring


Also doing a further investigation it seems that the script that is overcharguing the cpu is the weird.zeek ¿Is there a way to disable this script?


Thank you all for your replies.

________________________________
De: Justin Azoff <justin at corelight.com>
Enviado: miércoles, 18 de diciembre de 2019 22:29
Para: Jorge García Rodríguez <JorgeGarcia.1995 at outlook.es>
Cc: zeek at zeek.org <zeek at zeek.org>
Asunto: Re: [Zeek] Zeek + PF_Ring Issue

Can you run bro-doctor: https://packages.bro.org/packages/view/1251f948-f435-11e9-9321-0a645a3f3086 (works with zeek, just didn't change the name).  that will likely tell you what is wrong.  You're probably not actually using pf_ring and should use the native plugin and not the pcap wrapper.

On Wed, Dec 18, 2019 at 5:31 AM Jorge García Rodríguez <JorgeGarcia.1995 at outlook.es<mailto:JorgeGarcia.1995 at outlook.es>> wrote:
Hi Zeekers!

I need to resolve a problem attached to Zeek when its configured to work with PF_Ring.

The thing is that we receive between 1.0 and 2.5 GB/s in a fiber interface. Also when we lauch the command "Zeekctl top" to check the Cpu usage and the traffic managed in each worker, we see that the sum of the traffic of all workers is greater than the traffic we receive through the interface.

This makes me think that we have something badly configured in PF_Ring or somehow Zeek is generating some kind of loop.

For example, receiving 2Gb/s, i execute "Zeekctl top" and the result is the next one:

Name         Type    Host             Pid     VSize  Rss  Cpu   Cmd
logger       logger  localhost        11474     3G   118M  50%  zeek
manager      manager localhost        11520   589M    98M  25%  zeek
proxy-1      proxy   localhost        11565   610M   113M  18%  zeek
worker-1-1   worker  localhost        11693     1G   570M  62%  zeek
worker-1-2   worker  localhost        11701     1G   574M  62%  zeek
worker-1-3   worker  localhost        11711     1G   573M  68%  zeek
worker-1-4   worker  localhost        11713     1G   572M  50%  zeek
worker-1-5   worker  localhost        11718     3G     2G 106%  zeek
worker-1-6   worker  localhost        11719     1G   567M  62%  zeek
worker-1-7   worker  localhost        11726     1G   579M  68%  zeek
worker-1-8   worker  localhost        11732     1G   575M  56%  zeek
worker-1-9   worker  localhost        11733     1G   571M  68%  zeek
worker-1-10  worker  localhost        11735     1G   558M  62%  zeek

Hope someone of you can help me to resolve this.

Really thank you.

Best Regards!
_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191219/83ca26c3/attachment-0001.html

More information about the Zeek mailing list