[Zeek] PF_Ring plugin Issue

Justin Azoff justin at corelight.com
Wed Mar 18 12:52:16 PDT 2020 

If you installed pf_ring and then  built zeek, it's possible that you
ended up compiling zeek against the libpcap from pf_ring, instead of
the standard libpcap.   Try a

    ldd $(which zeek)

and see which libpcap it is using.

In any case, you should try the af_packet plugin.

On Wed, Mar 18, 2020 at 6:06 AM Jorge Garcia Rodriguez <jgarciar at sia.es> wrote:
>
> Hi guys,
>
>
>
> Recently we have been trying different ways to balance the traffic between workers. The thing is that we tried installing the pf_ring plugin, and we installed right. We changed the node.cfg interface to pf_ring::X and it worked but now that we uninstalled the plugin we are having an issue that its like the packets are still going to the pf_ring::X interface but like the plugin is not installed anymore if we put the pf_ring::X interface in the node.cfg, Zeek workers don’t start. So, now the only way that Zeek workers start is with the normal interface name but zeek don’t see any traffic in this interface.
>
>
>
> So it seems that we did something wrong when we uninstalled the plugin. Can someone help me to solve this issue please?
>
>
>
> Thank you all.
>
>
>
> Best Regards!
>
>
>
> Jorge García Rodríguez
> Technical Consultant
> Security Infrastructures
> jgarciar at sia.es
>
> Grupo SIA
> Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
> 28922 Alcorcón - Madrid
> Tlf: +34 902 480 580   Fax: +34 91 307 79 80
> www.siainternational.com
>
> delivering value
>
> This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.
>
> No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.
>
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin

More information about the Zeek mailing list