[Zeek] Mirror the first N packets of a flow to Zeek

Scott Sakai ssakai at sdsc.edu
Mon Feb 11 10:42:16 PST 2019 

That largely depends on what you want to get out of Zeek, and the size of
the packets.

As an example, the packets may vary in size from 576 bytes to 1500 or 9000+
bytes.  If your mirror only counts packets, not payload bytes, that's the
difference between somewhat usable data from the protocol analyzers and
garbage.

You may also want the -last- packets in the flow, in particular the fin,
fin+ack, and rst; otherwise the conn log won't have accurate information
about the flow's duration or size.

If you just need a "there was an attempted connection that probably
succeeded", then yeah, 15 packets will do.  Deeper analysis requires more
data, though not necessarily all of the flow.

It seems like your switches may be able to track flows.  If this is the
case, maybe see if they can also drop flows from the mirror on demand.
Zeek has the capability to say "Stop sending me this flow, I am done with
it." (implementing the flow shunting on an uncommon switch may be an
exercise for the student). In such a case, you'll still want to get Zeek
the packet headers with ack, fin, rst, so the connection tracking still works.


On 02/11/2019 01:13 AM, thushjandan.ponnudurai at id.unibe.ch wrote:
> Hi guys,
> 
>  
> 
> I consider to evaluate Zeek for my organization. To reduce the data, which
> could accumulate if we start mirroring the traffic, my team is considering
> to not mirror the full traffic. To achieve this goal we have found on our
> Extreme Networks K- and S-Series Switches a very interesting feature. They
> are able to mirror the first few packets of a flow. It is possible to
> adjust this value. For example like the first 15 packets of a flow.
> 
>  
> 
> Can Zeek also work well with the first 15 packets of a flow?
> 
>  
> 
> Best regards,
> 
> Thushjandan
> 
> 
> 
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> 


-- 
Scott Sakai
Security Analyst
San Diego Supercomputer Center
ssakai at sdsc.edu
+1-858-822-0851

More information about the Zeek mailing list