Docket only returns packets from one interface on system with multiple sensor interfaces

I have RockNSM 2.5.0-2002 up and running on a single node box that has one management interface (enp0s3) and two sensor interfaces (enp0s8, enp0s9). For the most part, everything is working, however when I pull a trace with docket through https://rocknsm/app/docket/ I only get packets that came in on enp0s8.

I know there is data coming in both interfaces because I see two dirs in /data/stenographer and they both have lots of data.

[root@simplerockbuild stenographer]# du -s *
45306620        enp0s8
43510736        enp0s9
[root@simplerockbuild stenographer]#

Is there a way I can specify an interface to pull from in the URL or configure Docket to read both enp0s8 and enp0s9 directories when I request trace data?

I tried to modify the STENOGRAPHER_INSTANCES: section of /etc/docket/prod.yaml like this…

  [{"ca": "/etc/pki/docket/simplerockbuild_ca_cert.pem", "host": "", "cert": "/etc/pki/docket/docket-simplerockbuild_sensor-simplerockbuild_cert.pem", "key": "/etc/pki/docket/docket_192.168.2.123_key.pem", "sensor": "enp0s8", "port": 1234},{"ca": "/etc/pki/docket/simplerockbuild_ca_cert.pem", "host": "", "cert": "/etc/pki/docket/docket-simplerockbuild_sensor-simplerockbuild_cert.pem", "key": "/etc/pki/docket/docket_192.168.2.123_key.pem", "sensor": "enp0s9", "port": 1235}]

…but it didn’t help, I still only get packets from enp0s8.

Thanks a bunch for this software. It’s awesome.

Is the firewall open for both ports? 1234 and 1235?

This problem has resolved itself and I’m pretty sure I didn’t change anything except doing a reboot. I now see both interface names show up in the query status page (screenshot below) as the query runs and packets from both interfaces appear in the resulting merged.pcap file. I am thinking that after I modified the /etc/docket/prod.yaml file with the extra STENOGRAPHER_INSTANCES attributes I didn’t completely restart Docket or maybe some other dependency and the reboot took care of that.

To answer your question about firewall blocking I did verify that there wasn’t any firewall blocking going on by running tcpdump -i lo port 1234 or port 1235 while I pulled a trace. The tcpdump output showed two way TCP conversations on both ports.

Thanks for your assistance. Docket and Stenographer are awesome. It’s really nice to have an economical multi-nic trace collection system.