AF_PACKET isn't being enabled for zeek-live container capture

idaholab / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.

https://idaholab.github.io/Malcolm/

Other

327 stars 53 forks source link

AF_PACKET isn't being enabled for zeek-live container capture #437

Closed mmguero closed 3 months ago

mmguero commented 3 months ago

It would appear that af_packet isn't being enabled for the zeek-live container for capture.

at first blush the issue is probably either one of two things:

~~support is not detected although I don't think this is it, as from what I can tell we default to "yes" if we can't explicitly tell that it's "no"~~
missing lb_custom interface prefix: i think this is the most likely. on hedgehog linux we are specifying this, but not in the container. I think i just need to move this code from here to zeekdeploy.sh so it's used on both.

mmguero commented 3 months ago

zeek-live container's zeek command line now looks like this:

/opt/zeek/bin/zeek -i af_packet::enp0s25 -U .status -p zeekctl -p zeekctl-live -p local -p worker-1-1 local /opt/zeek/share/zeek/site/extractor.zeek zeekctl base/frameworks/cluster zeekctl/auto

note the af_packet