[Zeek] Using af_packet in a host with two nics

Michał Purzyński michalpurzynski1 at gmail.com
Tue Jan 29 18:48:10 PST 2019


The IP layer has nothing to do with it. Capture takes place way lower.

Are you running as root or a user?

Is there something else capturing pockets?

Have you tried with one card?

> On Jan 29, 2019, at 12:36 PM, Patrick P Murphy <pmurphy+bro at nrao.edu> wrote:
> 
> On Tue, 29 Jan 2019 19:09:41 +0000, Carlos Lopez <clopmz at outlook.com> said:
> 
>> On 29/01/2019, 19:37, "Patrick P Murphy" <pmurphy at nrao.edu> wrote:
> 
> PM>      Carlos Lopez <clopmz at outlook.com> writes:
> 
> CL> Uhmm ... I have changed my config to:
> CL> [prod-ids]
> CL> type=worker
> CL> host=172.22.58.2
> CL> interface=af_packet::eth2
> CL> af_packet_fanout_id=5
> CL> #
> CL> [dmz-ids]
> CL> type=worker
> CL> host=172.22.58.2
> CL> interface=af_packet::eth3
> CL> af_packet_fanout_id=10
> 
> PM>     This may be a totally dumb/naive question, but... why do the
> PM>     interfaces have the same IP address?  
> 
> 
> CL> Because this host has two network interfaces ....
> 
> I have many such boxes (for other purposes).  Each interface has a
> unique IP address, and associated hostnames, e.g.,
> 
> polaris     for XXX.XXX.115.101 on interface em1
> polaris-10g for YYY.YYY.3.13 on interface p5p1
> 
> Even if the two interfaces are on the same VLAN (they are not in my
> example) I would think you want separate IP addresses for them.
> 
> - Pat
> 
> -- 
> Patrick P. Murphy, Ph.D.               https://www.nrao.edu/~pmurphy/
> Info Services Site Manager          NRAO Information Security Officer
> 
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



More information about the Zeek mailing list