Re: [Zeek] Using af_packet in a host with two nics

On Jan 28, 2019, at 11:33 PM, Carlos Lopez <clopmz(a)outlook.com> wrote: Thanks Michal. Error is "Invalid argument" ... But what is "af_packet_fanout_id"? is it a random value? Regards, C. L. Martinez ________________________________________ From: Michał Purzyński <michalpurzynski1(a)gmail.com> Sent: 28 January 2019 21:48 To: Carlos Lopez Cc: zeek(a)zeek.org Subject: Re: [Zeek] Using af_packet in a host with two nics It is, unfortunately, impossible to tell, without you telling us how it failed and what the error messages were. I will take a wild guess - you need to specify a different cluster ID for each card. The original code here https://github.com/J-Gras/bro-af_packet-plugin And it tells how to do that with af_packet_fanout_id=23 > On Mon, Jan 28, 2019 at 11:26 AM Carlos Lopez <clopmz(a)outlook.com> wrote: > > Hi all, > > Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config: > > [prod-ids] > type=worker > host=172.22.58.2 > interface=af_packet::eth2 > # > [dmz-ids] > type=worker > host=172.22.58.2 > interface=af_packet::eth3 > > ... But fails. And I have tried using " interface=' af_packet::eth2 -i af_packet::eth3' and it doesn't work also ... So, is it not possible to use af_packet to sniff two nics? > > I am using Zeek 2.6.1 with af_packet plugin installed. > > Regards, > C. L. Martinez > > > _______________________________________________ > Zeek mailing list > zeek(a)zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek