[Zeek] First attempt to upgrade to 3: Multiple interfaces

Michał Purzyński michalpurzynski1 at gmail.com
Tue Mar 3 18:37:49 PST 2020 

From what you’re describing, you’re running Zeek on a resource constraints device.

You might want to actually use the newest version - not sure where Justin fixes for the packet processing loop went in, but they should help a lot.

There are also some scripts to avoid, like the scan.zeek one and basically anything using SumStats. These can eat a lot of memory.

BTW kill all unnecessary processes. I can take a look if you send a process tree.

Good luck!

> On Mar 3, 2020, at 5:59 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> 
> All,
> 
> I'm please to report that using zeekctl method of running is so far working well...resource usage is so far manageable. Thanks for the assistance.
> 
> James
> 
>> On Tue, 2020-03-03 at 13:10 -0700, James Lay wrote:
>> Appreciate the responses.  These interfaces are an external on the 
>> internet, and an internal with a localnet (this devices is classified as 
>> router), so bonding them isn't an option.  The only reason I'm running 
>> in this manner as apposed to just letting zeekctl handle it all is the 
>> process count and memory usage.  I guess I'll test out zeekctl and see 
>> where I sit....might have to fallback to 3.0.  Thank you.
>> 
>> James
>> 
>>> On 2020-03-03 12:42, Steve Smoot wrote:
>> 
>> On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz <tim at corelight.com>
>> wrote:
>> 
>> 
>> If you don’t really need the latest and greatest cutting edge
>> changes to 3.1, version 3.0.x still supports multiple interfaces.
>> That feature was removed in 3.1 due to the wide changes to the IO
>> Loop architecture, and you’re honestly the first user I’ve heard
>> from that has noticed it missing. It was removed to make that work
>> easier to accomplish, but we can certainly investigate bringing it
>> back if there’s enough of a use case for it.
>> 
>> Another option, I think would be to bond/bridge the interfaces and
>> listen on that.  If that would work for you,
>> 
>> -s
>> 
>> 
>> Tim
>> 
>> 
>> On Mar 3, 2020, at 12:03 PM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>> 
>> 
>> Welp...out of luck so far:
>> 
>> /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '<redacted>' local
>> "Site::local_nets += { 192.168.1.0/24 [1] }"
>> 
>> gets me:
>> 
>> ERROR: Only a single interface option (-i) is allowed.
>> 
>> I didn't have this issue with 2.  Any reason why only one
>> interface is
>> 
>> allowed now?  Unless something radical has changed with the
>> resources
>> 
>> that zeekctl uses I have no desire to use it.  I'm dead in the
>> water
>> 
>> with Zeek as of now.  Thank you.
>> 
>> James
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> 
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> 
>> --
>> 
>> STEPHEN R. SMOOT, PHD
>> VP, Customer Success
>> Corelight
>> 
>> 
>> Links:
>> ------
>> [1] http://192.168.1.0/24
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> 
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200303/aad611a2/attachment-0001.html

More information about the Zeek mailing list