[Zeek] R: zeek performance with some events activated

[Palumbo Mauro]

Hi Jon, 
   thanks. This is what I thought. We need to evaluate realtime traffic, not offline traffic. 

I'll think about which way is better for us. 

Mauro

-----Messaggio originale-----
Da: Jon Siwek [mailto:jsiwek at corelight.com] 
Inviato: giovedì 18 aprile 2019 18:30
A: Palumbo Mauro <mauro.palumbo at aizoon.it>
Cc: zeek at zeek.org
Oggetto: Re: [Zeek] zeek performance with some events activated

On Thu, Apr 18, 2019 at 12:46 AM Palumbo Mauro <mauro.palumbo at aizoon.it> wrote:

>      I need to do some analysis on TCP flags and the event “tcp_packet” perfectly fits my needs. However, as stated in Zeek’s documentation, using this event may significantly affect Zeek’s performance, given the high number of TCP packets to look into.
>
> Is there any other way to look into TCP flags?

No other script-only method comes to mind.

> Would bypassing scriptland and modifyng directly the C++ code be more efficient (though not the “proper” way to do it)?

Generally, yes.

You could always do a quick measurement of whether handling just an empty "tcp_packet" event is prohibitive for you use-case.  If it's not, then some other factors to help decide whether to proceed further with script-only vs. C++ implementation might be:

(1) Length of time it would take to fully implement and test the script-only solution.  If it's a lot of effort, might be worth just starting from a C++ implementation.

(2) Whether you plan to share this work w/ the wider community or it just needs to work for your particular case (for the later a less performant, script-only solution is more acceptable).

- Jon