[Zeek] Duplicate DNS packets
Kurtis Lawson
kclawson at gmail.com
Wed May 22 16:12:39 PDT 2019
Hello fellow Zeekers,
I am new to the mailing list and fairly new to Zeek.
I am having an issue where DNS traffic is duplicated. It seem fairly
obvious to me that the issue is that the manager is sending a single
"session" to all of the workers defined in node.cfg.
Example duplicate logs (sanitized a bit):
user1 at site1bro:~$ awk -F '\t' '{ if($1 == "1558556089.463824") print $0;}'
dns.date-time.log
1558556089.463824 Ce6WGH1tX7fUQCJkEb 10.1.1.1 49675 10.5.5.5 53 udp 58613 -
yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-4
1558556089.463824 CxhWh33b65uCcQlUR2 10.1.1.1 49675 10.5.5.5 53 udp 58613 -
yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-8
1558556089.463824 CNBy3ykdFSvXydiW7 10.1.1.1 49675 10.5.5.5 53 udp 58613 -
yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-9
1558556089.463824 CV6w2f3NKeaAwhAvJf 10.1.1.1 49675 10.5.5.5 53 udp 58613 -
yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-7
1558556089.463824 Cc5rcP3N92OGHYUKA2 10.1.1.1 49675 10.5.5.5 53 udp 58613 -
yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-6
My node.cfg file:
[manager]
type=manager
host=10.10.10.10
[proxy-1]
type=proxy
host=10.10.10.10
[SITE1BRO]
type=worker
host=10.10.10.10
interface=eth5
lb_method=pf_ring
lb_procs=10
pin_cpus=2,3,4,5,6,7,8,9,10,11
Other info:
- The span feed is clean of duplicates (validated with multiple packet
captures)
- Other logs are generally not duplicated, and I suspect that this only
happens with UDP traffic
- I've tried changing the LB type in the broctl.cfg file to 2-tuple,
5-tuple, and round-robin (4-tuple is default) but none of those resolved
the issue
- I've tried installing the latest dev version of pf_ring to no avail
- From previously archived threads, it appears that this is not a new
issue, and that it also happens with af_packet ... which is what I was
going to try next :(
Any insights as to how I can fix, or at least filter these duplicates
before they are written to file and/or sent to Kafka would be greatly
appreciated.
KCL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190522/f62783d8/attachment.html
More information about the Zeek
mailing list