[Zeek] Zeek + PF_Ring Issue

Justin Azoff justin at corelight.com
Thu Dec 19 07:06:47 PST 2019


On Thu, Dec 19, 2019 at 7:18 AM Jorge García Rodríguez <
JorgeGarcia.1995 at outlook.es> wrote:

> I have ran bro-doctor as you said and certainly I saw interesting things,
> for example:
>
>
> ###################################################################
> # Checking if connections are unevenly distributed across workers #
> ###################################################################
> error: The distribution of connections across workers seems uneven:
> worker-1-5:     462 connections
> worker-1-4:     890 connections
> worker-1-7:     874 connections
> worker-1-6:     4122 connections
> worker-1-1:     432 connections
> worker-1-3:     930 connections
> worker-1-2:     907 connections
> worker-1-9:     451 connections
> worker-1-8:     435 connections
> worker-1-10:    497 connections
>

Interesting indeed.  If you look at your conn log can you tell anything
about all those connections that worker-1-6 is seeing?


> Let me know what do you think about the report.
>
> I have checked about the PF_Ring plugin but it gives me an error, im not
> sure if im following the last update of this plugin.
> https://github.com/ntop/bro-pf_ring
>

you should be able to zkg install bro-pf_ring.. or install it manually with
./configure && make && sudo make install.  are you getting an error when
you do that?


> Also doing a further investigation it seems that the script that is
> overcharguing the cpu is the weird.zeek ¿Is there a way to disable this
> script?
>

Do you say that because you have a lot of entries in the weird log?  that
points to traffic issues that need to be fixed... disabling the weird logs
will just ignore the problem.  What are the top weirds that you are seeing?

    cat /usr/local/zeek/logs/current/weird.log |zeek-cut name|sort|uniq
 -c|sort -rn

What did you see as the result from this check?

# Checking if many recent connections have a SAD or had history


-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191219/8c47dc7f/attachment.html 


More information about the Zeek mailing list