Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
We recently purchased some Intel XXV710 NICs for our Zeek systems. However,
symmetric hashing does not seem to work on them, at least not completely.
There was some discussion here regarding adding some functionality to the
driver to make it work, however this never landed:
https://sourceforge.net/p/e1000/mailman/message/35199068/
This post discusses how the X710 controller must be configured differently
from the 82599 10G controller (used by the X520 cards):
https://haryachyy.wordpress.com/2019/01/18/learning-dpdk-symmetric-rss/
The odd part is that following the SEPTun-MarkII guide[1] makes it *mostly*
work, but we're consistently finding that ~1-2% of the traffic is not being
symmetrically hashed. We're testing with can-i-use-afpacket-fanout[2] and
Zeek 3.2.
The most damning evidence is an Intel rep telling[3] a customer:
> Unfortunately, we have been informed that the only support to setup
symmetric RSS is via DPDK.
Searching the mailing list archives, I found a couple of posts where people
were encouraged to use X710-based cards, so I'm left wondering: Are there
people using these? Are they also seeing this 1-2% asymmetry? Or am I
missing a configuration tweak?
Thanks,
--Vlad
[1] - <
https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst>
[2] - <https://github.com/JustinAzoff/can-i-use-afpacket-fanout>
[3] - <
https://community.intel.com/t5/Ethernet-Products/X-L-710-supports-symmetric…
>
Hi there,
I'm trying to create a new protocol analyzer as a plugin but stumble to
get it running. I run into following exception:
/home/user/plugin/build///lib/plugin-Test.linux-x86_64.so did not
instantiate a plugin
This is my code:
Plugin.cc
#include "zeek/plugin/Plugin.h"
#include "zeek/analyzer/Component.h"
#include "Test.h"
namespace zeek::plugin::Test_Plugin {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override {
AddComponent(new zeek::analyzer::Component("Test",
zeek::analyzer::Test::Test_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Plugin::Test_Analyzer";
config.description = "<Beep Boop>";
config.version.major = 1;
config.version.minor = 0;
return config;
}
} plugin;
}
Test.h
#pragma once
#include <stdio.h>
#include <zeek/analyzer/protocol/tcp/TCP.h>
#include <zeek/analyzer/Analyzer.h>
typedef unsigned char u_char;
typedef unsigned short u_int16;
typedef short int16;
typedef unsigned int u_int32;
typedef int int32;
namespace zeek::analyzer { namespace Test {
class Test_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
Test_Analyzer(Connection* conn);
virtual ~Test_Analyzer();
virtual void Done();
virtual void Init();
virtual void DeliverStream(int len, const u_char* data,
bool orig);
static Analyzer* Instantiate(Connection* conn)
{
return new Test_Analyzer(conn);
}
protected:
int offset;
};
} } //end namespaces
I followed the guide on how to develop a plugin and looked up some other
analyzer in Github, it compiles without error or warning but when I run
zeek -N it runs into this error. I even recompiled Zeek, but that didn't
help.
Thanks!
Dane
PS: Sorry for crossposting in zeek-dev-mailing list. I thought that was
the right one...
Hey all, I'm working on building a zeek box on a training VM. The host
will have limited resources. What the lowest config people have gotten to
run in such an environment?
Note, it does not have to be perfect, the main goal is to generate some
data so a few dropped packets are OK as is disabling some streams.
I'm looking to have 4 CPU/6GB RAM max.
Thanks
Craig L Bowser
____________________________
This email is measured by size. Bits and bytes may have settled during
transport.
Hi all
Do you know of any packages (or any other method) which enables Zeek to
inspect images for steganography (hidden messages)?
For example, imagine some malware was using LSB steganography to
exfiltrate data from our network inside innocent looking images. Is
there a way for Zeek to flag these images as potentially containing
hidden data?
Thanks for your time.
Cheers
Steve
Good morning,
When I try to compile spicy 1.1.0 under a FreeBSD 13 host, the following errors appears:
ninja: Entering directory `build'
[6/338] cd /tmp/kk/build/hilti/runtime && /usr/local/bin/python3.8 /tmp/kk/scripts/autogen-version --header /tmp/kk/build/include/hilti/rt/autogen/version.h --git-root /tmp/kk
1.1.0-branch (72d88fbc)
[291/338] Generating ../cache/spicy/precompiled_libhilti.h
FAILED: cache/spicy/precompiled_libhilti.h
cd /tmp/kk/build/hilti && /usr/local/bin/cmake -E env SPICY_CACHE=/tmp/kk/build/cache/spicy /tmp/kk/scripts/precompile-headers.sh --hilti-config /tmp/kk/build/bin/hilti-config
Abort trap
Error: could not determine location of libhilti.h
[292/338] [BISON][parser_spicy] Building parser with bison 3.7.6
ninja: build stopped: subcommand failed.
*** Error code 1
Stop.
I am using the following configure options:
./configure --prefix=/opt/spicy --enable-ccache --generator=Ninja
How can I fix it?
Best regards,
C. L. Martinez