[Zeek] Using af_packet in a host with two nics

Patrick P Murphy pmurphy+bro at nrao.edu
Tue Jan 29 12:36:27 PST 2019


On Tue, 29 Jan 2019 19:09:41 +0000, Carlos Lopez <clopmz at outlook.com> said:

> On 29/01/2019, 19:37, "Patrick P Murphy" <pmurphy at nrao.edu> wrote:

PM>      Carlos Lopez <clopmz at outlook.com> writes:
    
CL> Uhmm ... I have changed my config to:
CL> [prod-ids]
CL> type=worker
CL> host=172.22.58.2
CL> interface=af_packet::eth2
CL> af_packet_fanout_id=5
CL> #
CL> [dmz-ids]
CL> type=worker
CL> host=172.22.58.2
CL> interface=af_packet::eth3
CL> af_packet_fanout_id=10
    
PM>     This may be a totally dumb/naive question, but... why do the
PM>     interfaces have the same IP address?  
    

CL> Because this host has two network interfaces ....

I have many such boxes (for other purposes).  Each interface has a
unique IP address, and associated hostnames, e.g.,

 polaris     for XXX.XXX.115.101 on interface em1
 polaris-10g for YYY.YYY.3.13 on interface p5p1

Even if the two interfaces are on the same VLAN (they are not in my
example) I would think you want separate IP addresses for them.

 - Pat

-- 
Patrick P. Murphy, Ph.D.               https://www.nrao.edu/~pmurphy/
Info Services Site Manager          NRAO Information Security Officer



More information about the Zeek mailing list