Hello Zeek Community,
Our site upgraded from Zeek 4.x to Zeek 5.x and lost vlan tagging. Nothing else changed. We are running a RPM/RedHat-based multi-node cluster with pf_ring and Myricom 10Gb NICs. We upgraded from 5.0.2 to 5.0.3. We tried zeek/corelight/log-add-vlan-everywhere which Corelight support says ‘should be compatible’ with Zeek 5.x.
Anyone else had this problem? Any suggestions on where to begin tracing this?
Ryan
Hey Ryan,
any chance you can capture a few packets as pcap and cross-check with zeek -r for Zeek 4.x and Zeek 5.x (loading policy/protocols/conn/vlan-logging.zeek). If there’s a discrepancy then please report it on Github and if possible attach the pcap. Can also check the pcap in wireshark if the packets are vlan tagged.
Hope this helps,
Arne
Hello Arne,
I captured some packets and confirmed with tcpdump -e that the vlan information was present in the pcap file.
Then, when I did this:
$ /opt/zeek/bin/zeek /opt/zeek/share/zeek/policy/protocols/conn/vlan-loggin.zeek -r file.pcap
I saw that conn.log showed vlan and inner_vlan as expected.
This led me to discover that in the upgrade, my /opt/zeek/share/zeek/site/local.zeek file was renamed /opt/zeek/share/zeek/site/local.zeek.rpmsave
In the default version of the file, this line had become commented:
@load policy/protocols/conn/vlan-logging
Problem solved.
Thank-you for the pointer,
Ryan