[Zeek] Zeek Vs. FreeBSD

Michael Shirk shirkdog.bsd at gmail.com
Wed May 20 09:01:46 PDT 2020 

On Fri, May 8, 2020 at 11:33 AM Anthony Arnaud
<antho.arnaudisce at gmail.com> wrote:
>
> Hi Michael,
> I'm using FreeBSD 12.1 and Zeek 3.0.5 (ver. 3.0.6 available in ports has compilation problems), with 2 NICs without ip, em0 and vtnet1 (em0 is Intel e1000) but the problem is that zeek plugin is not updated. (API mismatch)
>
> #ifconfig
> vtnet1: flags = 8802 <BROADCAST, SIMPLEX, MULTICAST> metric 0 mtu 1500
>         options = c00b8 <VLAN_MTU, VLAN_HWTAGGING, JUMBO_MTU, VLAN_HWCSUM, VLAN_HWTSO, link-state routing protocol>
>         ether something
>         media: Ethernet 10Gbase-T <full-duplex>
>         status: active
>         nd6 options = 29 <PERFORMNUD, IFDISABLED, AUTO_LINKLOCAL>
>
> em0: flags = 8802 <BROADCAST, SIMPLEX, MULTICAST> metric 0 mtu 1500
>         options = 812,098 <VLAN_MTU, VLAN_HWTAGGING, VLAN_HWCSUM, WOL_MAGIC, VLAN_HWFILTER>
>         ether something
>         media: Ethernet autoselect (1000baseT <full-duplex>)
>         status: active
>         nd6 options = 29 <PERFORMNUD, IFDISABLED, AUTO_LINKLOCAL>
>
> # on zeekctl start
> starting workers ...
> Error: worker-1-1 terminated immediately after starting; check output with "diag"
> Error: worker-1-2 terminated immediately after starting; check output with "diag"
>
> #in dmesg
> 173.973686 [376] netmap_ioctl_legacy Minimum supported API is 14 (requested 11)
> 173.973712 [376] netmap_ioctl_legacy Minimum supported API is 14 (requested 11)
>
> #from zeekctl diag
> Zeek 3.0.5
> FreeBSD 12.1-RELEASE
>
> Zeek plugins:
> Bro :: Netmap - Packet acquisition via Netmap (dynamic, version 1.0.0)
>
> ==== stderr.log
> 292.768100 nm_open [920] NIOCREGIF failed: Invalid argument vtnet1} 1
> fatal error: problem with interface netmap :: vtnet1} 1 (Invalid argument)
>
> The netmap tools in kernel sources seems ok, lb start and the network interface switch in netmap mode.
> I think the latest working version of  plugin is compatible with netmap release available in FreeBSD 11.2, but there are performance issues with vtnets.
> Also tcpreplay doesn't work when i try to send traffic in netmap mode to a NIC sniffed by zeek (in FBSD 11.2)
>
> Thanks,
> Anthon
>
> Il giorno gio 7 mag 2020 alle ore 20:30 Michael Shirk <shirkdog.bsd at gmail.com> ha scritto:
>>
>> Some questions to get started:
>> Which version of FreeBSD are you using?
>> Which network card are you using?
>>
>> The biggest issue is parity between the netmap and FreeBSD source
>> trees, you really need to run FreeBSD-CURRENT to ensure you have all
>> of the latest changes. There were some issues in the past that
>> affected even Intel network cards from working correctly, so the types
>> of cards you are using are very important.
>>
>> I pushed to get the netmap tools added to the source tree, so you can
>> build "lb" from the following location and use it:
>> /usr/src/tools/tools/netmap/lb.c
>>
>> I am updating a FreeBSD system to see if this still builds correctly
>> as I have not used LB in a while.
>>
>> On Thu, May 7, 2020 at 12:32 PM Anthony Arnaud
>> <antho.arnaudisce at gmail.com> wrote:
>> >
>> > Hi All,
>> > I tried to install Zeek on my FreeBSD server with netmap support.
>> > But VirtIO Ethernet driver is not working properly, there are performance problems that should be solved in the latest Netmap release, ref to:
>> >
>> > https://reviews.freebsd.org/D17916
>> >
>> > Unfortunately the bro-netmap plugin does not work with that.
>> > It seems that Zeek is unusable in FreeBSD env, the developments of the bro-netmap plugin are closed and it is impossible to parallelize network traffic on multiple zeek workers.
>> > Does anyone know if updates are currently planned?
>> > Or if someone using this plugin with the Netmap last version?
>> > Or, finally, are there other BSD loadbalancing solutions ?
>> > Thank y'all
>> >
>> > Anthon
>> > _______________________________________________
>> > Zeek mailing list
>> > zeek at zeek.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>> --
>> Michael Shirk
>> Daemon Security, Inc.
>> https://www.daemon-security.com

I had a user error on my part, the following if run from a FreeBSD
CURRENT system with the kernel source will build the tools and you can
use them for packet brokering:

cd /usr/src/tools/tools/netmap
make all

The binaries will be located here:
/usr/obj/usr/src/amd64.amd64/tools/tools/netmap

then you can run LB to setup the packet brokering, in this case just
two pipes setup on em0.
./lb -i em0 -p ids:2 -o 1
143.318741 main [588] interface is em0
143.529856 main [702] successfully opened netmap:em0 (tx rings: 1024)
143.529865 main [774] opening pipe named netmap:ids{0/xT at 1
143.530027 nm_mmap [990] do not mmap, inherit from parent
143.530037 main [789] successfully opened pipe #1 netmap:ids{0/xT at 1
(tx slots: 1024)
143.530039 main [794] zerocopy enabled
143.530042 main [774] opening pipe named netmap:ids{1/xT at 1
143.530131 nm_mmap [990] do not mmap, inherit from parent
143.530137 main [789] successfully opened pipe #2 netmap:ids{1/xT at 1
(tx slots: 1024)
143.530140 main [794] zerocopy enabled

Now to see about the netmap plugin working.
-- 
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com

More information about the Zeek mailing list