[Zeek] No packets captured by Zeek under OpenBSD

Carlos Lopez clopmz at outlook.com
Sun Mar 8 04:48:58 PDT 2020


This problem only appears when Zeek is configured as a cluster and  using a distrusted installation or configuring several network interfaces like for example:

[manager]
type=manager
host=127.0.0.1

[logger]
type=logger
host=127.0.0.1

[proxy]
type=proxy
host=127.0.0.1

[worker-1]
type=worker
host=127.0.0.1
interface=vio2

[worker-2]
type=worker
host=127.0.0.1
interface=vio3

When Zeek is configured in standalone mode everything works correctly.

Among the hosts I'm testing, network communications are working perfectly between them  and PF is disabled. Maybe is it a bug? I am using Zeek 3.0.3-dev.3 under OpenBSD 6.6 (fully patched).

--
Regards,
C. L. Martinez

From: <zeek-bounces at zeek.org> on behalf of Carlos Lopez <clopmz at outlook.com>
Date: Saturday, 7 March 2020 at 23:00
To: "zeek at zeek.org" <zeek at zeek.org>
Subject: [Zeek] No packets captured by Zeek under OpenBSD

Hi all,

I just installed Zeek 3.0.3-dev.3 under two OpenBSD 6.6 amd64 vms (one as worker and another as a manager). All seems to work ok but no packet is captured by Zeek worker. In logs directory, there are only the following files:

total 100
drwxr-xr-x  2 root  wheel    512 Mar  7 21:50 ./
drwxr-xr-x  7 root  wheel    512 Mar  7 21:50 ../
-rw-r--r--  1 root  wheel    137 Mar  7 21:42 .cmdline
-rw-r--r--  1 root  wheel    350 Mar  7 21:42 .env_vars
-rw-r--r--  1 root  wheel      6 Mar  7 21:42 .pid
-rw-r--r--  1 root  wheel     58 Mar  7 21:42 .startup
-rwx------  1 root  wheel     18 Mar  7 21:42 .status*
-rw-r--r--  1 root  wheel    401 Mar  7 21:43 cluster.log
-rw-r--r--  1 root  wheel  30276 Mar  7 21:43 loaded_scripts.log
-rw-r--r--  1 root  wheel    856 Mar  7 21:53 stats.log
-rw-r--r--  1 root  wheel      0 Mar  7 21:42 stderr.log
-rw-r--r--  1 root  wheel    140 Mar  7 21:43 stdout.log

No one shows any error. Same for the spool directory … Running tcpdump in worker node works without problem and I can see all the traffic …

Any idea?

--
Regards,
C. L. Martinez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200308/27603a1e/attachment-0001.html 


More information about the Zeek mailing list