[Zeek] No packets captured by Zeek under OpenBSD
Carlos Lopez
clopmz at outlook.com
Sun Mar 8 04:48:58 PDT 2020
This problem only appears when Zeek is configured as a cluster and using a distrusted installation or configuring several network interfaces like for example:
[manager]
type=manager
host=127.0.0.1
[logger]
type=logger
host=127.0.0.1
[proxy]
type=proxy
host=127.0.0.1
[worker-1]
type=worker
host=127.0.0.1
interface=vio2
[worker-2]
type=worker
host=127.0.0.1
interface=vio3
When Zeek is configured in standalone mode everything works correctly.
Among the hosts I'm testing, network communications are working perfectly between them and PF is disabled. Maybe is it a bug? I am using Zeek 3.0.3-dev.3 under OpenBSD 6.6 (fully patched).
--
Regards,
C. L. Martinez
From: <zeek-bounces at zeek.org> on behalf of Carlos Lopez <clopmz at outlook.com>
Date: Saturday, 7 March 2020 at 23:00
To: "zeek at zeek.org" <zeek at zeek.org>
Subject: [Zeek] No packets captured by Zeek under OpenBSD
Hi all,
I just installed Zeek 3.0.3-dev.3 under two OpenBSD 6.6 amd64 vms (one as worker and another as a manager). All seems to work ok but no packet is captured by Zeek worker. In logs directory, there are only the following files:
total 100
drwxr-xr-x 2 root wheel 512 Mar 7 21:50 ./
drwxr-xr-x 7 root wheel 512 Mar 7 21:50 ../
-rw-r--r-- 1 root wheel 137 Mar 7 21:42 .cmdline
-rw-r--r-- 1 root wheel 350 Mar 7 21:42 .env_vars
-rw-r--r-- 1 root wheel 6 Mar 7 21:42 .pid
-rw-r--r-- 1 root wheel 58 Mar 7 21:42 .startup
-rwx------ 1 root wheel 18 Mar 7 21:42 .status*
-rw-r--r-- 1 root wheel 401 Mar 7 21:43 cluster.log
-rw-r--r-- 1 root wheel 30276 Mar 7 21:43 loaded_scripts.log
-rw-r--r-- 1 root wheel 856 Mar 7 21:53 stats.log
-rw-r--r-- 1 root wheel 0 Mar 7 21:42 stderr.log
-rw-r--r-- 1 root wheel 140 Mar 7 21:43 stdout.log
No one shows any error. Same for the spool directory … Running tcpdump in worker node works without problem and I can see all the traffic …
Any idea?
--
Regards,
C. L. Martinez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200308/27603a1e/attachment-0001.html
More information about the Zeek
mailing list