[Zeek] Using af_packet in a host with two nics

Carlos Lopez clopmz at outlook.com
Wed Jan 30 02:12:01 PST 2019


Hi all,

 I don't think I've made myself clear. This host has three network interfaces: an interface for management with assigned IP address and two interfaces for sniffing ..

Regards,
C. L. Martinez


________________________________________
From: Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: 30 January 2019 03:48
To: Patrick P Murphy
Cc: Carlos Lopez; zeek at zeek.org
Subject: Re: [Zeek] Using af_packet in a host with two nics

The IP layer has nothing to do with it. Capture takes place way lower.

Are you running as root or a user?

Is there something else capturing pockets?

Have you tried with one card?

> On Jan 29, 2019, at 12:36 PM, Patrick P Murphy <pmurphy+bro at nrao.edu> wrote:
>
> On Tue, 29 Jan 2019 19:09:41 +0000, Carlos Lopez <clopmz at outlook.com> said:
>
>> On 29/01/2019, 19:37, "Patrick P Murphy" <pmurphy at nrao.edu> wrote:
>
> PM>      Carlos Lopez <clopmz at outlook.com> writes:
>
> CL> Uhmm ... I have changed my config to:
> CL> [prod-ids]
> CL> type=worker
> CL> host=172.22.58.2
> CL> interface=af_packet::eth2
> CL> af_packet_fanout_id=5
> CL> #
> CL> [dmz-ids]
> CL> type=worker
> CL> host=172.22.58.2
> CL> interface=af_packet::eth3
> CL> af_packet_fanout_id=10
>
> PM>     This may be a totally dumb/naive question, but... why do the
> PM>     interfaces have the same IP address?
>
>
> CL> Because this host has two network interfaces ....
>
> I have many such boxes (for other purposes).  Each interface has a
> unique IP address, and associated hostnames, e.g.,
>
> polaris     for XXX.XXX.115.101 on interface em1
> polaris-10g for YYY.YYY.3.13 on interface p5p1
>
> Even if the two interfaces are on the same VLAN (they are not in my
> example) I would think you want separate IP addresses for them.
>
> - Pat
>
> --
> Patrick P. Murphy, Ph.D.               https://www.nrao.edu/~pmurphy/
> Info Services Site Manager          NRAO Information Security Officer
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



More information about the Zeek mailing list