[Zeek] R: zeek performance with some events activated
Palumbo Mauro
mauro.palumbo at aizoon.it
Fri Apr 19 00:29:21 PDT 2019
Hi Jon,
thanks. This is what I thought. We need to evaluate realtime traffic, not offline traffic.
I'll think about which way is better for us.
Mauro
-----Messaggio originale-----
Da: Jon Siwek [mailto:jsiwek at corelight.com]
Inviato: giovedì 18 aprile 2019 18:30
A: Palumbo Mauro <mauro.palumbo at aizoon.it>
Cc: zeek at zeek.org
Oggetto: Re: [Zeek] zeek performance with some events activated
On Thu, Apr 18, 2019 at 12:46 AM Palumbo Mauro <mauro.palumbo at aizoon.it> wrote:
> I need to do some analysis on TCP flags and the event “tcp_packet” perfectly fits my needs. However, as stated in Zeek’s documentation, using this event may significantly affect Zeek’s performance, given the high number of TCP packets to look into.
>
> Is there any other way to look into TCP flags?
No other script-only method comes to mind.
> Would bypassing scriptland and modifyng directly the C++ code be more efficient (though not the “proper” way to do it)?
Generally, yes.
You could always do a quick measurement of whether handling just an empty "tcp_packet" event is prohibitive for you use-case. If it's not, then some other factors to help decide whether to proceed further with script-only vs. C++ implementation might be:
(1) Length of time it would take to fully implement and test the script-only solution. If it's a lot of effort, might be worth just starting from a C++ implementation.
(2) Whether you plan to share this work w/ the wider community or it just needs to work for your particular case (for the later a less performant, script-only solution is more acceptable).
- Jon
More information about the Zeek
mailing list