[Zeek] Zeek Vs. FreeBSD
Anthony Arnaud
antho.arnaudisce at gmail.com
Fri May 8 08:33:42 PDT 2020
Hi Michael,
I'm using FreeBSD 12.1 and Zeek 3.0.5 (ver. 3.0.6 available in ports has
compilation problems), with 2 NICs without ip, em0 and vtnet1 (em0 is Intel
e1000) but the problem is that zeek plugin is not updated. (API mismatch)
#ifconfig
vtnet1: flags = 8802 <BROADCAST, SIMPLEX, MULTICAST> metric 0 mtu 1500
options = c00b8 <VLAN_MTU, VLAN_HWTAGGING, JUMBO_MTU, VLAN_HWCSUM,
VLAN_HWTSO, link-state routing protocol>
ether something
media: Ethernet 10Gbase-T <full-duplex>
status: active
nd6 options = 29 <PERFORMNUD, IFDISABLED, AUTO_LINKLOCAL>
em0: flags = 8802 <BROADCAST, SIMPLEX, MULTICAST> metric 0 mtu 1500
options = 812,098 <VLAN_MTU, VLAN_HWTAGGING, VLAN_HWCSUM,
WOL_MAGIC, VLAN_HWFILTER>
ether something
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options = 29 <PERFORMNUD, IFDISABLED, AUTO_LINKLOCAL>
# on zeekctl start
starting workers ...
Error: worker-1-1 terminated immediately after starting; check output with
"diag"
Error: worker-1-2 terminated immediately after starting; check output with
"diag"
#in dmesg
173.973686 [376] netmap_ioctl_legacy Minimum supported API is 14 (requested
11)
173.973712 [376] netmap_ioctl_legacy Minimum supported API is 14 (requested
11)
*#from zeekctl diag*
Zeek 3.0.5
FreeBSD 12.1-RELEASE
Zeek plugins:
Bro :: Netmap - Packet acquisition via Netmap (dynamic, version 1.0.0)
==== stderr.log
292.768100 nm_open [920] NIOCREGIF failed: Invalid argument vtnet1} 1
fatal error: problem with interface netmap :: vtnet1} 1 (Invalid argument)
The netmap tools in kernel sources seems ok, lb start and the network
interface switch in netmap mode.
I think the latest working version of plugin is compatible with netmap
release available in FreeBSD 11.2, but there are performance issues with
vtnets.
Also tcpreplay doesn't work when i try to send traffic in netmap mode to a
NIC sniffed by zeek (in FBSD 11.2)
Thanks,
Anthon
Il giorno gio 7 mag 2020 alle ore 20:30 Michael Shirk <
shirkdog.bsd at gmail.com> ha scritto:
> Some questions to get started:
> Which version of FreeBSD are you using?
> Which network card are you using?
>
> The biggest issue is parity between the netmap and FreeBSD source
> trees, you really need to run FreeBSD-CURRENT to ensure you have all
> of the latest changes. There were some issues in the past that
> affected even Intel network cards from working correctly, so the types
> of cards you are using are very important.
>
> I pushed to get the netmap tools added to the source tree, so you can
> build "lb" from the following location and use it:
> /usr/src/tools/tools/netmap/lb.c
>
> I am updating a FreeBSD system to see if this still builds correctly
> as I have not used LB in a while.
>
> On Thu, May 7, 2020 at 12:32 PM Anthony Arnaud
> <antho.arnaudisce at gmail.com> wrote:
> >
> > Hi All,
> > I tried to install Zeek on my FreeBSD server with netmap support.
> > But VirtIO Ethernet driver is not working properly, there are
> performance problems that should be solved in the latest Netmap release,
> ref to:
> >
> > https://reviews.freebsd.org/D17916
> >
> > Unfortunately the bro-netmap plugin does not work with that.
> > It seems that Zeek is unusable in FreeBSD env, the developments of the
> bro-netmap plugin are closed and it is impossible to parallelize network
> traffic on multiple zeek workers.
> > Does anyone know if updates are currently planned?
> > Or if someone using this plugin with the Netmap last version?
> > Or, finally, are there other BSD loadbalancing solutions ?
> > Thank y'all
> >
> > Anthon
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200508/593623e7/attachment.html
More information about the Zeek
mailing list