[Zeek] PF_Ring plugin Issue

Wed Mar 18 14:50:24 PDT 2020

Is there any part of pf_ring functionality that you cannot find in the
af_packet capture mechanism?

On Wed, Mar 18, 2020 at 12:56 PM Justin Azoff <justin at corelight.com> wrote:

> If you installed pf_ring and then  built zeek, it's possible that you
> ended up compiling zeek against the libpcap from pf_ring, instead of
> the standard libpcap.   Try a
>
>     ldd $(which zeek)
>
> and see which libpcap it is using.
>
> In any case, you should try the af_packet plugin.
>
> On Wed, Mar 18, 2020 at 6:06 AM Jorge Garcia Rodriguez <jgarciar at sia.es>
> wrote:
> >
> > Hi guys,
> >
> >
> >
> > Recently we have been trying different ways to balance the traffic
> between workers. The thing is that we tried installing the pf_ring plugin,
> and we installed right. We changed the node.cfg interface to pf_ring::X and
> it worked but now that we uninstalled the plugin we are having an issue
> that its like the packets are still going to the pf_ring::X interface but
> like the plugin is not installed anymore if we put the pf_ring::X interface
> in the node.cfg, Zeek workers don’t start. So, now the only way that Zeek
> workers start is with the normal interface name but zeek don’t see any
> traffic in this interface.
> >
> >
> >
> > So it seems that we did something wrong when we uninstalled the plugin.
> Can someone help me to solve this issue please?
> >
> >
> >
> > Thank you all.
> >
> >
> >
> > Best Regards!
> >
> >
> >
> > Jorge García Rodríguez
> > Technical Consultant
> > Security Infrastructures
> > jgarciar at sia.es
> >
> > Grupo SIA
> > Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
> > 28922 Alcorcón - Madrid
> > Tlf: +34 902 480 580   Fax: +34 91 307 79 80
> > www.siainternational.com
> >
> > delivering value
> >
> > This e-mail and any attached files are intended solely for the
> addresse/s identified herein. It may contain confidential and/or legally
> privileged information and may not necessarily represent the opinion of SIA.
> >
> > No legally binding commitments will be created by this E-mail message.
> Where we intend to create legally binding commitments these will be made
> through hard copy correspondence or documents. If you receive this message
> by mistake, please immediately notify the sender and delete it since you
> are not authorized to use, disclose, distribute, print or copy all or part
> of the contained information Thank you. It is understood that the message
> was sent to you accidentally, although you appear as the addressee, you can
> see from the frame of existing relations that you were not the final
> addressee.
> >
> >
> >
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Justin
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200318/1463475f/attachment.html 