Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
Problem with bro/zeek and pf_ring/ZC
jfh at ufl
Mar 13, 2019, 6:46 PM
Post #1 of 3 (1285 views)
Permalink
Today I upgraded from zeek-2.6-beta2 and pf_ring 7.3.0

PF_RING 7.3.0 ($Revision: dev:c85efbc90d5abb7ef471be17cf9192b88a842ac4$)

to zeek 2.6.1 and the latest pf_ring from git

PF_RING 7.5.0 ($Revision: dev:342b85fe63a2f0cdd70cd16fefebe99e6a8657af$)

My interfaces were configured like so to work with zbalance_ipc :

[worker-1]
type=worker
host=localhost
interface=zc:99@0
lb_method=pf_ring
lb_procs=1

[worker-2]
type=worker
host=localhost
interface=zc:99@2
lb_method=pf_ring
lb_procs=1

etc.

When I start up zeek/bro, all the workers crash with

fatal error: problem with interface zc:99@0@0 (pcap_error: SIOCGIFHWADDR: No such device (pcap_activate))

Anyone know what I need to tweak to get this to work?

Thanks,

--
Jim Hranicky
Data Security Specialist
UF Information Technology
720 SW 2nd Avenue Suite 450, North Tower, Gainesville, FL 32605
352-273-1341
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: Problem with bro/zeek and pf_ring/ZC [ In reply to ]
cardigliano at ntop
Mar 14, 2019, 1:26 AM
Post #2 of 3 (1283 views)
Permalink
Hi Jim
it seems that Zeek has not been linked against the pf_ring aware libpcap:

Could you double check with:

ldd /usr/local/bro/bin/bro | grep pcap
libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fa371e33000)

As explained in this guide?
http://www.ntop.org/guides/pf_ring/thirdparty/bro.html <http://www.ntop.org/guides/pf_ring/thirdparty/bro.html>

Alfredo

> On 14 Mar 2019, at 02:46, Jim Hranicky <jfh@ufl.edu> wrote:
>
> Today I upgraded from zeek-2.6-beta2 and pf_ring 7.3.0
>
> PF_RING 7.3.0 ($Revision: dev:c85efbc90d5abb7ef471be17cf9192b88a842ac4$)
>
> to zeek 2.6.1 and the latest pf_ring from git
>
> PF_RING 7.5.0 ($Revision: dev:342b85fe63a2f0cdd70cd16fefebe99e6a8657af$)
>
> My interfaces were configured like so to work with zbalance_ipc :
>
> [worker-1]
> type=worker
> host=localhost
> interface=zc:99@0
> lb_method=pf_ring
> lb_procs=1
>
> [worker-2]
> type=worker
> host=localhost
> interface=zc:99@2
> lb_method=pf_ring
> lb_procs=1
>
> etc.
>
> When I start up zeek/bro, all the workers crash with
>
> fatal error: problem with interface zc:99@0@0 (pcap_error: SIOCGIFHWADDR: No such device (pcap_activate))
>
> Anyone know what I need to tweak to get this to work?
>
> Thanks,
>
> --
> Jim Hranicky
> Data Security Specialist
> UF Information Technology
> 720 SW 2nd Avenue Suite 450, North Tower, Gainesville, FL 32605
> 352-273-1341
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: Problem with bro/zeek and pf_ring/ZC [ In reply to ]
jfh at ufl
Mar 14, 2019, 8:01 AM
Post #3 of 3 (1283 views)
Permalink
Gah, total goof on my part.

Thank you.

Jim

On 3/14/19 4:26 AM, Alfredo Cardigliano wrote:
> Hi Jim
> it seems that Zeek has not been linked against the pf_ring aware libpcap:
>
> Could you double check with:
>
> ldd /usr/local/bro/bin/bro | grep pcap
> libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fa371e33000)

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal