[Zeek] zbalance_ipc and Zeek

Seth Hall seth at corelight.com
Mon Mar 18 10:05:10 PDT 2019



On 14 Mar 2019, at 18:28, COLIN BLAIR wrote:

> Does anyone have a success story using zbalance_ipc and Zeek. We are 
> getting very high packet loss using zbalance_ipc. When we remove 
> zbalance_ipc, Zeek performs well on pf_ring zero copy with RSS. Any 
> advice is appreciated.

I tried it long ago and got it working correctly.  One thing you may 
need to keep in mind is that if a single one of your workers dies or is 
restarted, you need to shut them all down and possibly even restart 
zbalance_ipc and then bring up all of the workers again.  I don't know 
if this is still the behavior of pf_ring anymore but it was at one 
point.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com


More information about the Zeek mailing list