[Zeek] zeek erros with zbalance_ipc
Tim Wojtulewicz
tim at corelight.com
Fri Feb 21 15:28:26 PST 2020
Yah, that would definitely explain it. Libpcap is probably setting the file descriptor to something weird after trying to open ’zc:10’ and that’s causing Zeek to throw an error. I’ll see if we can make that a little more friendly.
I recently fixed the af_packet plugin to build correctly with Zeek 3.1 and the process is pretty simple. If you want to look at those changes as a roadmap, go for it. We should have a blog post coming out pretty soon on zeek.org <http://zeek.org/> about it. Otherwise I’ll add it to my list for next week.
Tim
> On Feb 21, 2020, at 4:20 PM, Justin Azoff <justin at corelight.com> wrote:
>
> On Fri, Feb 21, 2020 at 4:36 PM Tim Thompson <tim at tsqrd.net <mailto:tim at tsqrd.net>> wrote:
> Example:
> zbalance_ipc -i zc:eth1 -n 1 -m 1 -c 10 -g 1 -a (creates zc:10 at 0)
>
> [root at server opt]# zeek -i zc:10 at 0
> listening on zc:10 at 0
>
> ah, you're using pf_ring through the libpcap wrapper and their wrapper is doing something weird. This problem should go away using https://github.com/ntop/bro-pf_ring <https://github.com/ntop/bro-pf_ring> (and likely better performance too since you won't need the wrapper)
>
> That package may need a few updates to the cmake bits to compile properly against zeek.. as well as the configure changes that make it possible to build plugins without the zeek source code.
>
> --
> Justin
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200221/6c8196f8/attachment-0001.html
More information about the Zeek
mailing list