Zeek publisher weird behaviour

Hello people,

I’m trying to use zeek broker module which has 2 subscribers. The publisher zeek script looks like this:

    `event zeek_init() &priority=5 {
    suspend_processing();
    #Broker::peer(addr_to_uri(127.0.0.1), 50000/tcp);
    Broker::subscribe("/topic/discovery");
    Broker::listen("127.0.0.1", 50001/tcp);
    Broker::auto_publish("/topic/discovery", analyzer_confirmation);`

and the subscriber python module looks like this:
with ( broker.Endpoint() as ep, ep.make_subscriber("/topic/discovery") as sub, ep.make_status_subscriber(True) as ss): print("Starting Scan...") ep.peer('127.0.0.1', 50001) st = ss.get()

Now when I try to run 2 instances of the subscribers, both of them gets connected, but only 1 of them gets the events from the pcap. If I run the zeek publisher again, then both the subscribers gets the events. I have tried to run this multiple times and the behavior is persistent.

image1682×1034 28.9 KB

image1695×927 23.7 KB

From your screenshot output: All the events are processed before the second subscriber (second PEER ADDED line) has even connected. You’'ll need to adapt your continue_processing() logic on the Zeek side to only start processing the pcap when two peers have been added.

Hi @awelzel,

Is there a function in zeek script to apply that condition?

Thanks

Is there a function in zeek script to apply that condition?

Thought was to update a global counter or set of peers that have been added and once it reached the expected number, call continue_processing().

If this doesn’t work out, you’ll need to share some more code and explain what you tried.