[Zeek] Duplicate DNS packets

Kurtis Lawson kclawson at gmail.com
Thu Jun 20 09:57:26 PDT 2019


Just a follow up.

The AF_Ring plugin was a quick and easy solution for my duplication
problem.  No more duplicates and performance is good, even at sensors with
multi-gigabit traffic.  Thanks for your help Justin!

KCL

On Fri, May 24, 2019 at 9:00 AM Justin Azoff <justin at corelight.com> wrote:

> On Wed, May 22, 2019 at 7:21 PM Kurtis Lawson <kclawson at gmail.com> wrote:
>
>> Hello fellow Zeekers,
>>
>> I am new to the mailing list and fairly new to Zeek.
>> I am having an issue where DNS traffic is duplicated.  It seem fairly
>> obvious to me that the issue is that the manager is sending a single
>> "session" to all of the workers defined in node.cfg.
>>
>
> not quite, the manager doesn't send any traffic,  the workers read it
> directly, but you are correct in that all of the workers are seeing the
> same traffic
>
>
>> Other info:
>>
>> - The span feed is clean of duplicates (validated with multiple packet
>> captures)
>>
>> - Other logs are generally not duplicated, and I suspect that this only
>> happens with UDP traffic
>>
>> - I've tried changing the LB type in the broctl.cfg file to 2-tuple,
>> 5-tuple, and round-robin (4-tuple is default) but none of those resolved
>> the issue
>>
>> - I've tried installing the latest dev version of pf_ring to no avail
>>
>> - From previously archived threads, it appears that this is not a new
>> issue, and that it also happens with af_packet ... which is what I was
>> going to try next :(
>>
>>
> Your problem is that you are not actually using pf_ring to load balance,
> you're just running 10 workers all seeing 100% of the traffic.  This isn't
> really an issue it's just a common misconfiguration.
>
> The easiest way to fix this is to install
> https://packages.bro.org/packages/view/1bafeed3-c141-11e8-88be-0a645a3f3086
> And not try to use the PF ring libpcap which is where your problem is (It
> may be installed but you're not actually using it)
>
> Using af_packet
> https://packages.bro.org/packages/view/74610004-4fb7-11e8-88be-0a645a3f3086 It's
> probably easier anyway and that does not have this problem
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/4d4c57c7/attachment-0001.html 


More information about the Zeek mailing list