Warning: ignoring unrecognized node config option 'af_packet_fanout_id'

Zeek
1

Hello,

Can someone assist me with this.

Just upgrade zeek to 4.1.1 on Centos 7 (kernel: 3.10.0-1160.49.1.el7.x86_64).

I am using AF_packet in my node.cfg and I have in installed via zkg

[worker-1]

type=worker

host=localhost

interface=af_packet::ensXX

lb_method=custom

lb_procs=30

pin_cpus=6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35

af_packet_fanout_id=10

af_packet_fanout_mode=AF_Packet::FANOUT_HASH

zeek/j-gras/zeek-af_packet-plugin (installed: 3.0.1) - This plugin provides native AF_Packet support for Zeek.

But I get the following error when I try to start zeek and the workers terminate right away.

zeekctl deploy

Warning: ignoring unrecognized node config option ‘af_packet_fanout_id’ given for node ‘worker-1’

Warning: ignoring unrecognized node config option ‘af_packet_fanout_mode’ given for node ‘worker-1’

2

It also gives the following error:

zeekctl deploy

checking configurations …

logger scripts failed.

error in /usr/local/zeek/share/zeek/site/packages/./zeek-af_packet-plugin/./init.zeek, line 17: unknown identifier FANOUT_HASH, at or near “FANOUT_HASH”

manager scripts failed.

error in /usr/local/zeek/share/zeek/site/packages/./zeek-af_packet-plugin/./init.zeek, line 17: unknown identifier FANOUT_HASH, at or near “FANOUT_HASH”

proxy-1 scripts failed.

error in /usr/local/zeek/share/zeek/site/packages/./zeek-af_packet-plugin/./init.zeek, line 17: unknown identifier FANOUT_HASH, at or near “FANOUT_HASH”

worker-1-1 scripts failed.

error in /usr/local/zeek/share/zeek/site/packages/./zeek-af_packet-plugin/./init.zeek, line 17: unknown identifier FANOUT_HASH, at or near “FANOUT_HASH”

Inside that file has the following:

cat /usr/local/zeek/share/zeek/site/packages/./zeek-af_packet-plugin/./init.zeek

##! Packet source using AF_Packet.

##!

##! Note: This module is in testing and is not yet considered stable!

module AF_Packet;

export {

Size of the ring-buffer.

const buffer_size = 128 * 1024 * 1024 &redef;

Toggle whether to use hardware timestamps.

const enable_hw_timestamping = F &redef;

Toggle whether to use PACKET_FANOUT.

const enable_fanout = T &redef;

Toggle defragmentation of IP packets using PACKET_FANOUT_FLAG_DEFRAG.

const enable_defrag = F &redef;

Fanout Mode.

const fanout_mode = FANOUT_HASH &redef;

Fanout ID.

const fanout_id = 23 &redef;

}

3

Hello,

Can someone assist me with this.

Just upgrade zeek to 4.1.1 on Centos 7 (kernel: 3.10.0-1160.49.1.el7.x86_64).

I am using AF_packet in my node.cfg and I have in installed via zkg

zeekctl deploy

Warning: ignoring unrecognized node config option 'af_packet_fanout_id' given for node 'worker-1'

Warning: ignoring unrecognized node config option 'af_packet_fanout_mode' given for node 'worker-1'

You'd get this error if the af_packet.py zeekctl plugin was not
installed in the right place.

error in /usr/local/zeek/share/zeek/site/packages/./zeek-af_packet-plugin/./init.zeek, line 17: unknown identifier FANOUT_HASH, at or near "FANOUT_HASH"

You'd get this error if the af_packet plugin was not installed.

So, I looks like you somehow have parts of the af_packet plugin
installed, but not the whole thing. I'd uninstall it using zkg, then
ensure your zkg configuration is correct, with `zkg autoconfig`, then
reinstall the plugin.

4

Thanks! that fixed the issue. Another question is 4.1.1 going to be the new LTS? If yes, any idea when?

Regards,

Kayode Enwerem RHCE (CTR)
Security Tools Linux Admin
ITSO/SOC
Administrative Office of the U.S. Courts
(202) 227-1530

5

The release process for Zeek works like this:

- The LTS releases follow an x.0.y versioning scheme and come out roughly once per year, with patch releases as necessary. The current LTS release is 4.0.4.
- Feature releases come out during the interim, and follow a x.a.b versioning, with x being the same as the current LTS. Again, with patch release as necessary. The current feature release is 4.1.1. 4.2.0-RC1 was released this week, and 4.2 will supersede 4.1 once it is fully released. We generally try to follow a 4-month cadence for the feature releases, but schedules slip, etc.

We’re currently in the development cycle for the next LTS release, which at this point should be 5.0.0, which will supersede the 4.0 line and become the new LTS release for the following year-ish.

Does that help?

Tim

6

Yes, it helps. Do you also do Security fixes in the feature releases?

7

Yes, but normally only up until the next feature release comes out. For example, we did a 4.1.1 release, but once 4.2 is out there won’t be any more 4.1.x releases. Any further security patches for the feature releases would go into the 4.2.x cycle. There’s the chance that we would we backport something if it was extremely important, but it’s unlikely.

Tim