[Zeek] Duplicate DNS packets

[Justin Azoff]

On Wed, May 22, 2019 at 7:21 PM Kurtis Lawson <kclawson at gmail.com> wrote:

> Hello fellow Zeekers,
>
> I am new to the mailing list and fairly new to Zeek.
> I am having an issue where DNS traffic is duplicated.  It seem fairly
> obvious to me that the issue is that the manager is sending a single
> "session" to all of the workers defined in node.cfg.
>

not quite, the manager doesn't send any traffic,  the workers read it
directly, but you are correct in that all of the workers are seeing the
same traffic


> Other info:
>
> - The span feed is clean of duplicates (validated with multiple packet
> captures)
>
> - Other logs are generally not duplicated, and I suspect that this only
> happens with UDP traffic
>
> - I've tried changing the LB type in the broctl.cfg file to 2-tuple,
> 5-tuple, and round-robin (4-tuple is default) but none of those resolved
> the issue
>
> - I've tried installing the latest dev version of pf_ring to no avail
>
> - From previously archived threads, it appears that this is not a new
> issue, and that it also happens with af_packet ... which is what I was
> going to try next :(
>
>
Your problem is that you are not actually using pf_ring to load balance,
you're just running 10 workers all seeing 100% of the traffic.  This isn't
really an issue it's just a common misconfiguration.

The easiest way to fix this is to install
https://packages.bro.org/packages/view/1bafeed3-c141-11e8-88be-0a645a3f3086
And not try to use the PF ring libpcap which is where your problem is (It
may be installed but you're not actually using it)

Using af_packet
https://packages.bro.org/packages/view/74610004-4fb7-11e8-88be-0a645a3f3086
It's
probably easier anyway and that does not have this problem

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190524/f3146341/attachment-0001.html