[Zeek] First attempt to upgrade to 3: Multiple interfaces

James Lay jlay at slave-tothe-box.net
Tue Mar 3 12:10:38 PST 2020


Appreciate the responses.  These interfaces are an external on the 
internet, and an internal with a localnet (this devices is classified as 
router), so bonding them isn't an option.  The only reason I'm running 
in this manner as apposed to just letting zeekctl handle it all is the 
process count and memory usage.  I guess I'll test out zeekctl and see 
where I sit....might have to fallback to 3.0.  Thank you.

James

On 2020-03-03 12:42, Steve Smoot wrote:
> On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz <tim at corelight.com>
> wrote:
> 
>> If you don’t really need the latest and greatest cutting edge
>> changes to 3.1, version 3.0.x still supports multiple interfaces.
>> That feature was removed in 3.1 due to the wide changes to the IO
>> Loop architecture, and you’re honestly the first user I’ve heard
>> from that has noticed it missing. It was removed to make that work
>> easier to accomplish, but we can certainly investigate bringing it
>> back if there’s enough of a use case for it.
> 
> Another option, I think would be to bond/bridge the interfaces and
> listen on that.  If that would work for you,
> 
> -s
> 
>> Tim
>> 
>>> On Mar 3, 2020, at 12:03 PM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>> 
>>> Welp...out of luck so far:
>>> 
>>> /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '<redacted>' local
>>> "Site::local_nets += { 192.168.1.0/24 [1] }"
>>> 
>>> gets me:
>>> 
>>> ERROR: Only a single interface option (-i) is allowed.
>>> 
>>> I didn't have this issue with 2.  Any reason why only one
>> interface is
>>> allowed now?  Unless something radical has changed with the
>> resources
>>> that zeekctl uses I have no desire to use it.  I'm dead in the
>> water
>>> with Zeek as of now.  Thank you.
>>> 
>>> James
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> 
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> 
> --
> 
> STEPHEN R. SMOOT, PHD
> VP, Customer Success
> Corelight
> 
> 
> Links:
> ------
> [1] http://192.168.1.0/24


More information about the Zeek mailing list