[Zeek] zeek performance with some events activated
Jon Siwek
jsiwek at corelight.com
Thu Apr 18 09:30:21 PDT 2019
On Thu, Apr 18, 2019 at 12:46 AM Palumbo Mauro <mauro.palumbo at aizoon.it> wrote:
> I need to do some analysis on TCP flags and the event “tcp_packet” perfectly fits my needs. However, as stated in Zeek’s documentation, using this event may significantly affect Zeek’s performance, given the high number of TCP packets to look into.
>
> Is there any other way to look into TCP flags?
No other script-only method comes to mind.
> Would bypassing scriptland and modifyng directly the C++ code be more efficient (though not the “proper” way to do it)?
Generally, yes.
You could always do a quick measurement of whether handling just an
empty "tcp_packet" event is prohibitive for you use-case. If it's
not, then some other factors to help decide whether to proceed further
with script-only vs. C++ implementation might be:
(1) Length of time it would take to fully implement and test the
script-only solution. If it's a lot of effort, might be worth just
starting from a C++ implementation.
(2) Whether you plan to share this work w/ the wider community or it
just needs to work for your particular case (for the later a less
performant, script-only solution is more acceptable).
- Jon
More information about the Zeek
mailing list