Hi all,
Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config:
[prod-ids]
type=worker
host=172.22.58.2
interface=af_packet::eth2
It is, unfortunately, impossible to tell, without you telling us how
it failed and what the error messages were. I will take a wild guess -
you need to specify a different cluster ID for each card.
The original code here
https://github.com/J-Gras/bro-af_packet-plugin
And it tells how to do that with
af_packet_fanout_id=23
Thanks Michal. Error is "Invalid argument" ... But what is "af_packet_fanout_id"? is it a random value?
Regards,
C. L. Martinez
Thanks Michal. Error is "Invalid argument" ... But what is "af_packet_fanout_id"? is it a random value?
From the man page (packet(7) - Linux manual page):
To scale processing across threads, packet sockets can form a
fanout group. In this mode, each matching packet is enqueued
onto only one socket in the group. A socket joins a fanout
group by calling setsockopt(2) with level SOL_PACKET and
option PACKET_FANOUT. Each network namespace can have up to
65536 independent groups. A socket selects a group by encod‐
ing the ID in the first 16 bits of the integer option value.
The first packet socket to join a group implicitly creates it.
To successfully join an existing group, subsequent packet
sockets must have the same protocol, device settings, fanout
mode and flags (see below). Packet sockets can leave a fanout
group only by closing the socket. The group is deleted when
the last socket is closed.
So as Michal suggested, you want to configure different fanout IDs for the both workers to support different NICs.
Jan
That looks like a cluster ID collision, fairly typical for a multi NIC setup.
Cluster ID is the common identifier of all sockets that the stream is load balanced across.
If two processes read packets from the same NIC and traffic is load balanced between them, they share the cluster ID.
Simplification, but a proper explanation needs a diagram.
Basically traffic is send to each cluster and shared between all processes in the cluster.
Two NIC - two cluster IDs.
Do you happen to have other NSM running as well, like Suricata, on the same host? ID would have to be different.
Also - does your bro have CAP_NET_RAW?
Perfect. manay thanks Jan.
Regards,
C. L. Martinez
Uhmm ... I have changed my config to:
[prod-ids]
type=worker
host=172.22.58.2
interface=af_packet::eth2
af_packet_fanout_id=5
Carlos Lopez <clopmz@outlook.com> writes:
Uhmm ... I have changed my config to:
[prod-ids]
type=worker
host=172.22.58.2
interface=af_packet::eth2
af_packet_fanout_id=5
#
[dmz-ids]
type=worker
host=172.22.58.2
interface=af_packet::eth3
af_packet_fanout_id=10
This may be a totally dumb/naive question, but... why do the
interfaces have the same IP address?
- Pat
Carlos Lopez <clopmz@outlook.com> writes:
> Uhmm ... I have changed my config to:
> [prod-ids]
> type=worker
> host=172.22.58.2
> interface=af_packet::eth2
> af_packet_fanout_id=5
> #
> [dmz-ids]
> type=worker
> host=172.22.58.2
> interface=af_packet::eth3
> af_packet_fanout_id=10
This may be a totally dumb/naive question, but... why do the
interfaces have the same IP address?
Because this host has two network interfaces ....
I have many such boxes (for other purposes). Each interface has a
unique IP address, and associated hostnames, e.g.,
polaris for XXX.XXX.115.101 on interface em1
polaris-10g for YYY.YYY.3.13 on interface p5p1
Even if the two interfaces are on the same VLAN (they are not in my
example) I would think you want separate IP addresses for them.
- Pat
The IP layer has nothing to do with it. Capture takes place way lower.
Are you running as root or a user?
Is there something else capturing pockets?
Have you tried with one card?
Hi all,
I don't think I've made myself clear. This host has three network interfaces: an interface for management with assigned IP address and two interfaces for sniffing ..
Regards,
C. L. Martinez