[Zeek] zeek performance with some events activated
Jim Mellander
jmellander at lbl.gov
Thu Apr 18 09:57:19 PDT 2019
Another consideration to think about is whether you can run against a pcap
offline, or if you need realtime analysis. For offline analysis you can
turn off all policies except the one you're particularly interested in.
On Thu, Apr 18, 2019 at 9:40 AM Jon Siwek <jsiwek at corelight.com> wrote:
> On Thu, Apr 18, 2019 at 12:46 AM Palumbo Mauro <mauro.palumbo at aizoon.it>
> wrote:
>
> > I need to do some analysis on TCP flags and the event “tcp_packet”
> perfectly fits my needs. However, as stated in Zeek’s documentation, using
> this event may significantly affect Zeek’s performance, given the high
> number of TCP packets to look into.
> >
> > Is there any other way to look into TCP flags?
>
> No other script-only method comes to mind.
>
> > Would bypassing scriptland and modifyng directly the C++ code be more
> efficient (though not the “proper” way to do it)?
>
> Generally, yes.
>
> You could always do a quick measurement of whether handling just an
> empty "tcp_packet" event is prohibitive for you use-case. If it's
> not, then some other factors to help decide whether to proceed further
> with script-only vs. C++ implementation might be:
>
> (1) Length of time it would take to fully implement and test the
> script-only solution. If it's a lot of effort, might be worth just
> starting from a C++ implementation.
>
> (2) Whether you plan to share this work w/ the wider community or it
> just needs to work for your particular case (for the later a less
> performant, script-only solution is more acceptable).
>
> - Jon
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190418/7dc8c914/attachment.html
More information about the Zeek
mailing list