[Zeek] First attempt to upgrade to 3: Multiple interfaces

Johanna Amann johanna at icir.org
Wed Mar 4 17:18:21 PST 2020 

Hi Don,

just to pull over the questions from Slack here:

could you please detail a little bit how you are currently running Zeek.

Since it sounds like you are handling a lot of traffic - you typically 
should already have to run zeek in cluster mode using zeekctl/broctl. At 
which point this problem does not apply anymore - since in a cluster you 
can have a zeek process (or - typically - several zeek processes) for 
each interface.

If you are currently running a single standalone zeek process on several 
10G interfaces - did you check your packet loss? Because it seems 
unlikely to me that this setup is not loosing a ton of traffic.

Thank you :)
  Johanna

On 4 Mar 2020, at 16:08, Don Thomas wrote:

> Please bring back the multiple interface option.   I have two 
> Gigamon's
> (each has a 10 G interface ) Feeding Zeek on our IDS.
>
> Or else Zeek is a No Go for me as well.
>
> Yes... I need the multiple interface option !
>
> Thank you,
> *Don Thomas, CISSP, CISA*
>
>
>
> On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz <tim at corelight.com> 
> wrote:
>
>> If you don’t really need the latest and greatest cutting edge 
>> changes to
>> 3.1, version 3.0.x still supports multiple interfaces. That feature 
>> was
>> removed in 3.1 due to the wide changes to the IO Loop architecture, 
>> and
>> you’re honestly the first user I’ve heard from that has noticed 
>> it missing.
>> It was removed to make that work easier to accomplish, but we can 
>> certainly
>> investigate bringing it back if there’s enough of a use case for 
>> it.
>>
>> Tim
>>
>>> On Mar 3, 2020, at 12:03 PM, James Lay <jlay at slave-tothe-box.net> 
>>> wrote:
>>>
>>> Welp...out of luck so far:
>>>
>>> /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '<redacted>' local
>>> "Site::local_nets += { 192.168.1.0/24 }"
>>>
>>> gets me:
>>>
>>> ERROR: Only a single interface option (-i) is allowed.
>>>
>>> I didn't have this issue with 2.  Any reason why only one interface 
>>> is
>>> allowed now?  Unless something radical has changed with the 
>>> resources
>>> that zeekctl uses I have no desire to use it.  I'm dead in the water
>>> with Zeek as of now.  Thank you.
>>>
>>> James
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

More information about the Zeek mailing list