[Zeek] Using af_packet in a host with two nics

Michał Purzyński michalpurzynski1 at gmail.com
Mon Jan 28 12:48:38 PST 2019


It is, unfortunately, impossible to tell, without you telling us how
it failed and what the error messages were. I will take a wild guess -
you need to specify a different cluster ID for each card.

The original code here

https://github.com/J-Gras/bro-af_packet-plugin

And it tells how to do that with

af_packet_fanout_id=23


On Mon, Jan 28, 2019 at 11:26 AM Carlos Lopez <clopmz at outlook.com> wrote:
>
> Hi all,
>
>  Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config:
>
> [prod-ids]
> type=worker
> host=172.22.58.2
> interface=af_packet::eth2
> #
> [dmz-ids]
> type=worker
> host=172.22.58.2
> interface=af_packet::eth3
>
> ... But fails. And I have tried using " interface=' af_packet::eth2 -i af_packet::eth3' and it doesn't work also ... So, is it not possible to use af_packet to sniff two nics?
>
> I am using Zeek 2.6.1 with af_packet plugin installed.
>
> Regards,
> C. L. Martinez
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



More information about the Zeek mailing list