[Zeek] Using af_packet in a host with two nics

Carlos Lopez clopmz at outlook.com
Mon Jan 28 11:16:54 PST 2019


Hi all,

 Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config:

[prod-ids]
type=worker
host=172.22.58.2
interface=af_packet::eth2
#
[dmz-ids]
type=worker
host=172.22.58.2
interface=af_packet::eth3

... But fails. And I have tried using " interface=' af_packet::eth2 -i af_packet::eth3' and it doesn't work also ... So, is it not possible to use af_packet to sniff two nics?

I am using Zeek 2.6.1 with af_packet plugin installed.

Regards,
C. L. Martinez 




More information about the Zeek mailing list