[Zeek] Using af_packet in a host with two nics
Carlos Lopez
clopmz at outlook.com
Wed Jan 30 02:12:01 PST 2019
Hi all,
I don't think I've made myself clear. This host has three network interfaces: an interface for management with assigned IP address and two interfaces for sniffing ..
Regards,
C. L. Martinez
________________________________________
From: Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: 30 January 2019 03:48
To: Patrick P Murphy
Cc: Carlos Lopez; zeek at zeek.org
Subject: Re: [Zeek] Using af_packet in a host with two nics
The IP layer has nothing to do with it. Capture takes place way lower.
Are you running as root or a user?
Is there something else capturing pockets?
Have you tried with one card?
> On Jan 29, 2019, at 12:36 PM, Patrick P Murphy <pmurphy+bro at nrao.edu> wrote:
>
> On Tue, 29 Jan 2019 19:09:41 +0000, Carlos Lopez <clopmz at outlook.com> said:
>
>> On 29/01/2019, 19:37, "Patrick P Murphy" <pmurphy at nrao.edu> wrote:
>
> PM> Carlos Lopez <clopmz at outlook.com> writes:
>
> CL> Uhmm ... I have changed my config to:
> CL> [prod-ids]
> CL> type=worker
> CL> host=172.22.58.2
> CL> interface=af_packet::eth2
> CL> af_packet_fanout_id=5
> CL> #
> CL> [dmz-ids]
> CL> type=worker
> CL> host=172.22.58.2
> CL> interface=af_packet::eth3
> CL> af_packet_fanout_id=10
>
> PM> This may be a totally dumb/naive question, but... why do the
> PM> interfaces have the same IP address?
>
>
> CL> Because this host has two network interfaces ....
>
> I have many such boxes (for other purposes). Each interface has a
> unique IP address, and associated hostnames, e.g.,
>
> polaris for XXX.XXX.115.101 on interface em1
> polaris-10g for YYY.YYY.3.13 on interface p5p1
>
> Even if the two interfaces are on the same VLAN (they are not in my
> example) I would think you want separate IP addresses for them.
>
> - Pat
>
> --
> Patrick P. Murphy, Ph.D. https://www.nrao.edu/~pmurphy/
> Info Services Site Manager NRAO Information Security Officer
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
More information about the Zeek
mailing list