[Zeek] Duplicate DNS packets

Kurtis Lawson kclawson at gmail.com
Fri May 24 16:27:55 PDT 2019 

Justin,

Thanks for taking the time to reply and thanks for the information.  I'll
work on this next week and reply to the list.

Kurtis Lawson

On Fri, May 24, 2019 at 9:00 AM Justin Azoff <justin at corelight.com> wrote:

> On Wed, May 22, 2019 at 7:21 PM Kurtis Lawson <kclawson at gmail.com> wrote:
>
>> Hello fellow Zeekers,
>>
>> I am new to the mailing list and fairly new to Zeek.
>> I am having an issue where DNS traffic is duplicated.  It seem fairly
>> obvious to me that the issue is that the manager is sending a single
>> "session" to all of the workers defined in node.cfg.
>>
>
> not quite, the manager doesn't send any traffic,  the workers read it
> directly, but you are correct in that all of the workers are seeing the
> same traffic
>
>
>> Other info:
>>
>> - The span feed is clean of duplicates (validated with multiple packet
>> captures)
>>
>> - Other logs are generally not duplicated, and I suspect that this only
>> happens with UDP traffic
>>
>> - I've tried changing the LB type in the broctl.cfg file to 2-tuple,
>> 5-tuple, and round-robin (4-tuple is default) but none of those resolved
>> the issue
>>
>> - I've tried installing the latest dev version of pf_ring to no avail
>>
>> - From previously archived threads, it appears that this is not a new
>> issue, and that it also happens with af_packet ... which is what I was
>> going to try next :(
>>
>>
> Your problem is that you are not actually using pf_ring to load balance,
> you're just running 10 workers all seeing 100% of the traffic.  This isn't
> really an issue it's just a common misconfiguration.
>
> The easiest way to fix this is to install
> https://packages.bro.org/packages/view/1bafeed3-c141-11e8-88be-0a645a3f3086
> And not try to use the PF ring libpcap which is where your problem is (It
> may be installed but you're not actually using it)
>
> Using af_packet
> https://packages.bro.org/packages/view/74610004-4fb7-11e8-88be-0a645a3f3086 It's
> probably easier anyway and that does not have this problem
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190524/e81175f1/attachment.html

More information about the Zeek mailing list