Zeek/Suricata/Stenographer can not pick up any data from NIC/Profishark #11117

ErlindS · 2023-08-21T12:40:01Z

ErlindS
Aug 21, 2023

Version: 2.3.260
Installation Method: Network installation on Ubuntu 20.04
Description: Connecting: Profitap
Hardware Specs: Exceeds minimum requirements
Network Traffic Collection: Profishark-tap

I have the following problem:

I try to connect my Profishark with my security onion distribution. I have one active forward node.
I can theoretically send data with "sudo so-import-pcap" to my security onion. So my connection to the Security Onion manager is working.
I can capture data with "tcpdump -i enx..." and with the Profishark manager. So I can receive data with my tap.
But I can not pick up any data with Zeek/suricata or Stenographer and I don't know why.

message I get in security onion

Zeek logs:

{"ts":1692619201.568257,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":41520,"message":"handshake successful"}
{"ts":1692619201.613708,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":41520,"message":"lost connection to remote peer"}
{"ts":1692619201.472266,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":42132,"message":"handshake successful"}
{"ts":1692619201.569183,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":42132,"message":"lost connection to remote peer"}
{"ts":1692619201.520306,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":44236,"message":"handshake successful"}
{"ts":1692619201.56985,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":44236,"message":"lost connection to remote peer"}
{"ts":1692619802.268233,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":51940,"message":"handshake successful"}
{"ts":1692619802.316403,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":44364,"message":"handshake successful"}
{"ts":1692619802.365785,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":44364,"message":"lost connection to remote peer"}
{"ts":1692619802.36425,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":45480,"message":"handshake successful"}
{"ts":1692619802.409507,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":45480,"message":"lost connection to remote peer"}
{"ts":1692619802.36522,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":51940,"message":"lost connection to remote peer"}
{"ts":1692620401.4363,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":49686,"message":"handshake successful"}
{"ts":1692620401.534489,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":49686,"message":"lost connection to remote peer"}
{"ts":1692620401.532553,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":36906,"message":"handshake successful"}
{"ts":1692620401.57792,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":36906,"message":"lost connection to remote peer"}
{"ts":1692620401.484337,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":50076,"message":"handshake successful"}
{"ts":1692620401.5357971,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":50076,"message":"lost connection to remote peer"}
{"ts":1692621001.39239,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":39678,"message":"handshake successful"}
{"ts":1692621001.440325,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":53052,"message":"handshake successful"}
{"ts":1692621001.493736,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":53052,"message":"lost connection to remote peer"}
{"ts":1692621001.493149,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":39678,"message":"lost connection to remote peer"}
{"ts":1692621001.492282,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":35068,"message":"handshake successful"}
{"ts":1692621001.540925,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":35068,"message":"lost connection to remote peer"}
{"ts":1692621601.956277,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":45108,"message":"handshake successful"}
{"ts":1692621602.004295,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":56720,"message":"handshake successful"}
{"ts":1692621602.055816,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":56720,"message":"lost connection to remote peer"}
{"ts":1692621602.052503,"ty":"Broker::STATUS","ev":"peer-added","peer.address":"127.0.0.1","peer.bound_port":49008,"message":"handshake successful"}
{"ts":1692621602.100653,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":49008,"message":"lost connection to remote peer"}
{"ts":1692621602.05435,"ty":"Broker::STATUS","ev":"connection-terminated","peer.address":"127.0.0.1","peer.bound_port":45108,"message":"lost connection to remote peer"}
{"ts":1692619290.348784,"ts_delta":300.00063705444336,"peer":"worker-1-3","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692619290.380872,"ts_delta":300.00075912475586,"peer":"worker-1-1","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692619290.387424,"ts_delta":300.0006539821625,"peer":"worker-1-2","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692619590.349231,"ts_delta":300.0004470348358,"peer":"worker-1-3","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692619590.381233,"ts_delta":300.00036096572876,"peer":"worker-1-1","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692619590.387809,"ts_delta":300.00038504600525,"peer":"worker-1-2","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692619890.350379,"ts_delta":300.0011479854584,"peer":"worker-1-3","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692619890.388887,"ts_delta":300.0010778903961,"peer":"worker-1-2","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692619890.381447,"ts_delta":300.00021409988403,"peer":"worker-1-1","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692620190.382331,"ts_delta":300.00088381767273,"peer":"worker-1-1","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692620190.351117,"ts_delta":300.0007379055023,"peer":"worker-1-3","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692620190.389679,"ts_delta":300.0007920265198,"peer":"worker-1-2","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692620490.382935,"ts_delta":300.00060415267944,"peer":"worker-1-1","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692620490.351677,"ts_delta":300.0005600452423,"peer":"worker-1-3","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692620490.390195,"ts_delta":300.0005159378052,"peer":"worker-1-2","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692620790.383254,"ts_delta":300.00031900405884,"peer":"worker-1-1","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692620790.351948,"ts_delta":300.00027108192444,"peer":"worker-1-3","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692620790.390435,"ts_delta":300.00024008750916,"peer":"worker-1-2","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692621090.384057,"ts_delta":300.0008029937744,"peer":"worker-1-1","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692621090.352166,"ts_delta":300.0002179145813,"peer":"worker-1-3","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692621090.391394,"ts_delta":300.00095891952515,"peer":"worker-1-2","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692621390.352858,"ts_delta":300.00069212913513,"peer":"worker-1-3","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692621390.384151,"ts_delta":300.00009393692017,"peer":"worker-1-1","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692621390.392093,"ts_delta":300.0006990432739,"peer":"worker-1-2","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692621690.353272,"ts_delta":300.0004138946533,"peer":"worker-1-3","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692621690.384484,"ts_delta":300.000333070755,"peer":"worker-1-1","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692621690.392362,"ts_delta":300.0002691745758,"peer":"worker-1-2","gaps":0,"acks":0,"percent_lost":0.0}
{"ts":1692619290.348784,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-3","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692619290.380872,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-1","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692619290.387424,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-2","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692619590.349231,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-3","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692619590.381233,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-1","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692619590.387809,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-2","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692619890.350379,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-3","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692619890.388887,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-2","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692619890.381447,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-1","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692620190.382331,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-1","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692620190.351117,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-3","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692620190.389679,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-2","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692620490.382935,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-1","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692620490.351677,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-3","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692620490.390195,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-2","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692620790.383254,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-1","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692620790.351948,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-3","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692620790.390435,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-2","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692621090.384057,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-1","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692621090.352166,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-3","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692621090.391394,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-2","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692621390.352858,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-3","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692621390.384151,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-1","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692621390.392093,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-2","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692621690.353272,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-3","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692621690.384484,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-1","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692621690.392362,"note":"CaptureLoss::Too_Little_Traffic","msg":"Only observed 0 TCP ACKs and was expecting at least 1.","peer_descr":"worker-1-2","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
{"ts":1692619225.950449,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":334,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1691,"active_timers":48,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619227.170289,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":341,"events_queued":341,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1801,"active_timers":48,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619228.546193,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":335,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1685,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619230.34881,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00010895729064941406,"events_proc":343,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619230.380162,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011205673217773438,"events_proc":343,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619230.386149,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011110305786132813,"events_proc":343,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619525.95163,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":331,"events_queued":332,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1680,"active_timers":47,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619527.170678,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":349,"events_queued":349,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1809,"active_timers":52,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619528.546599,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":331,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1681,"active_timers":43,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619530.349309,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00010895729064941406,"events_proc":340,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1594,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619530.380689,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011515617370605469,"events_proc":340,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1594,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619530.386591,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011515617370605469,"events_proc":340,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1594,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619825.952416,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":334,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1684,"active_timers":48,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619827.17183,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":341,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1800,"active_timers":49,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619828.547742,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":334,"events_queued":332,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1683,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619830.387731,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00009989738464355469,"events_proc":342,"events_queued":343,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1591,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619830.349517,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00009799003601074219,"events_proc":343,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692619830.380814,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00009703636169433594,"events_proc":343,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620125.952875,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":331,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1681,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620127.172065,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":353,"events_queued":355,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1808,"active_timers":51,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620128.548578,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":331,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1681,"active_timers":43,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620130.38175,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00007581710815429688,"events_proc":344,"events_queued":342,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1594,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620130.350374,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00007510185241699219,"events_proc":344,"events_queued":342,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1594,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620130.388043,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00009608268737792969,"events_proc":345,"events_queued":343,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1596,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620425.954151,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":334,"events_queued":332,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1683,"active_timers":48,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620427.172597,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":344,"events_queued":343,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1804,"active_timers":50,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620428.549041,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":335,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1685,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620430.382401,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00009989738464355469,"events_proc":343,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620430.350987,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00010395050048828125,"events_proc":343,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620430.388609,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00010204315185546875,"events_proc":342,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1592,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620725.955077,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":331,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1681,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620727.17275,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":345,"events_queued":345,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1805,"active_timers":50,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620728.549331,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":331,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1681,"active_timers":43,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620730.382763,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011205673217773438,"events_proc":340,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1594,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620730.351322,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.000102996826171875,"events_proc":339,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692620730.388904,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011992454528808594,"events_proc":342,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1596,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621025.955675,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":334,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1684,"active_timers":47,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621027.173718,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":344,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1803,"active_timers":50,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621028.55032,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":334,"events_queued":332,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1683,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621030.383803,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00009512901306152344,"events_proc":342,"events_queued":343,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1591,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621030.35203,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00009799003601074219,"events_proc":345,"events_queued":343,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1594,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621030.389876,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00009703636169433594,"events_proc":342,"events_queued":343,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1591,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621325.955859,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":334,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1684,"active_timers":48,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621327.174375,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":345,"events_queued":345,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1805,"active_timers":50,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621328.550995,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":331,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1681,"active_timers":43,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621330.352144,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011491775512695313,"events_proc":339,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621330.384166,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011396408081054688,"events_proc":342,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1596,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621330.390607,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00012683868408203125,"events_proc":339,"events_queued":340,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621625.956935,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":331,"events_queued":332,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1680,"active_timers":47,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621627.174755,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":345,"events_queued":345,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1805,"active_timers":50,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621628.551369,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":335,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1685,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621630.352507,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00010800361633300781,"events_proc":344,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1594,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621630.384546,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00010800361633300781,"events_proc":342,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1592,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621630.391068,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011205673217773438,"events_proc":346,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1596,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621925.957047,"peer":"logger","mem":143,"pkts_proc":0,"bytes_recv":0,"events_proc":335,"events_queued":334,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1685,"active_timers":48,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621927.174964,"peer":"manager","mem":144,"pkts_proc":0,"bytes_recv":0,"events_proc":351,"events_queued":351,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1805,"active_timers":50,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621928.551585,"peer":"proxy","mem":142,"pkts_proc":0,"bytes_recv":0,"events_proc":332,"events_queued":333,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1681,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621930.3527,"peer":"worker-1-3","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00010204315185546875,"events_proc":344,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1595,"active_timers":45,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621930.384649,"peer":"worker-1-1","mem":271,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00011205673217773438,"events_proc":346,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1597,"active_timers":46,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
{"ts":1692621930.391281,"peer":"worker-1-2","mem":270,"pkts_proc":0,"bytes_recv":0,"pkts_dropped":0,"pkts_link":0,"pkt_lag":0.00009822845458984375,"events_proc":342,"events_queued":344,"active_tcp_conns":0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1593,"active_timers":44,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}
/opt/zeek/share/zeekctl/scripts/run-zeek: line 61: ulimit: core file size: cannot modify limit: Operation not permitted
max memory size         (kbytes, -m) unlimited
data seg size           (kbytes, -d) unlimited
virtual memory          (kbytes, -v) unlimited
core file size          (blocks, -c) 0

theoretical tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enx0004a304918c, link-type EN10MB (Ethernet), capture size 262144 bytes
12:47:54.666550 IP6 soforwardnode5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
12:47:54.667731 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:04:a3:04:91:8c (oui Unknown), length 292
12:47:54.668096 IP6 soforwardnode5 > ff02::2: ICMP6, router solicitation, length 8
12:47:54.676045 IP6 soforwardnode5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
12:47:54.964153 IP6 soforwardnode5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
12:47:55.284114 IP6 soforwardnode5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
12:47:57.298349 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:04:a3:04:91:8c (oui Unknown), length 292
12:47:58.661961 IP6 soforwardnode5 > ff02::2: ICMP6, router solicitation, length 8
12:48:02.202360 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:04:a3:04:91:8c (oui Unknown), length 292
12:48:02.661078 IP6 soforwardnode5 > ff02::2: ICMP6, router solicitation, length 8
12:48:11.023169 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:04:a3:04:91:8c (oui Unknown), length 292
12:48:27.938697 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:04:a3:04:91:8c (oui Unknown), length 292
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

what may be interesting is the amount of Rx packets I receive but in the end I can caputre data with profishark manager or tcpdump

enx0004a304918c: flags=451<UP,BROADCAST,RUNNING,NOARP,PROMISC>  mtu 1500
        inet6 fe80::993e:7081:8c7f:bedc  prefixlen 64  scopeid 0x20<link>
        ether 00:04:a3:04:91:8c  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 19185  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sensoroni logs

timestamp=2023-08-21T09:29:26.17958515Z level=info message="Starting agent"
timestamp=2023-08-21T09:29:26.212403937Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:29:36.222874817Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:29:46.231543933Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:29:56.24313427Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:30:06.256397637Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:30:16.266496604Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:30:26.275507916Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:30:36.287232479Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:30:46.298414977Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:30:56.307505938Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:31:06.320158056Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:31:16.331894026Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:31:26.344137975Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:31:36.360422543Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:31:46.372905706Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:31:56.384090441Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:32:06.395227194Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:32:16.411661425Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:32:26.42425657Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:32:36.435851884Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:32:46.448277855Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:32:56.459314655Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:33:06.472332378Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:33:16.486474483Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:33:26.497829509Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:33:36.511301097Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:33:46.519906271Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:33:56.531947425Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:34:06.546393881Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:34:16.558628562Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:34:26.570847529Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:34:36.583724429Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node
timestamp=2023-08-21T09:34:46.587369551Z level=info message="HTTP request finished" contentLength=-1 method=POST status="200 OK" statusCode=200 url=https://192.168.140.193/sensoroniagents/api/node

dougburks · 2023-08-22T11:28:23Z

dougburks
Aug 22, 2023
Maintainer

I don't know if we've tested with Profishark so we can't really guarantee that it works. Looking at your tcpdump output, it appears to be just broadcast and multicast traffic so I'm not sure that you're seeing the actual traffic that you want to see.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Zeek/Suricata/Stenographer can not pick up any data from NIC/Profishark #11117

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Zeek/Suricata/Stenographer can not pick up any data from NIC/Profishark #11117

Uh oh!

Uh oh!

ErlindS Aug 21, 2023

Replies: 1 comment

Uh oh!

dougburks Aug 22, 2023 Maintainer

ErlindS
Aug 21, 2023

dougburks
Aug 22, 2023
Maintainer