[Zeek] Using af_packet in a host with two nics

Michał Purzyński michalpurzynski1 at gmail.com
Tue Jan 29 02:18:54 PST 2019


That looks like a cluster ID collision, fairly typical for a multi NIC setup.

Cluster ID is the common identifier of all sockets that the stream is load balanced across.

If two processes read packets from the same NIC and traffic is load balanced between them, they share the cluster ID.

Simplification, but a proper explanation needs a diagram.

Basically traffic is send to each cluster and shared between all processes in the cluster.

Two NIC - two cluster IDs.

Do you happen to have other NSM running as well, like Suricata, on the same host? ID would have to be different.

Also - does your bro have CAP_NET_RAW?

> On Jan 28, 2019, at 11:33 PM, Carlos Lopez <clopmz at outlook.com> wrote:
> 
> Thanks Michal. Error is "Invalid argument" ... But what is "af_packet_fanout_id"? is it a random value?
> 
> 
> 
> Regards,
> C. L. Martinez
> 
> 
> ________________________________________
> From: Michał Purzyński <michalpurzynski1 at gmail.com>
> Sent: 28 January 2019 21:48
> To: Carlos Lopez
> Cc: zeek at zeek.org
> Subject: Re: [Zeek] Using af_packet in a host with two nics
> 
> It is, unfortunately, impossible to tell, without you telling us how
> it failed and what the error messages were. I will take a wild guess -
> you need to specify a different cluster ID for each card.
> 
> The original code here
> 
> https://github.com/J-Gras/bro-af_packet-plugin
> 
> And it tells how to do that with
> 
> af_packet_fanout_id=23
> 
> 
>> On Mon, Jan 28, 2019 at 11:26 AM Carlos Lopez <clopmz at outlook.com> wrote:
>> 
>> Hi all,
>> 
>> Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config:
>> 
>> [prod-ids]
>> type=worker
>> host=172.22.58.2
>> interface=af_packet::eth2
>> #
>> [dmz-ids]
>> type=worker
>> host=172.22.58.2
>> interface=af_packet::eth3
>> 
>> ... But fails. And I have tried using " interface=' af_packet::eth2 -i af_packet::eth3' and it doesn't work also ... So, is it not possible to use af_packet to sniff two nics?
>> 
>> I am using Zeek 2.6.1 with af_packet plugin installed.
>> 
>> Regards,
>> C. L. Martinez
>> 
>> 
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



More information about the Zeek mailing list