[Zeek] Mirror the first N packets of a flow to Zeek
thushjandan.ponnudurai at id.unibe.ch
thushjandan.ponnudurai at id.unibe.ch
Tue Feb 12 23:13:15 PST 2019
Hi Scott,
Thank you for your detailed explanation!
The switches we mentioned are actually configured as such they export
netflow-v9 information about all flows and additionally the first 15 payload
packets of each flow. So we think that with those two information sources
each flow should be fully identified.
We'll contact the switch vendor - Extreme Networks - to ask about the
possibility to stop sending flow information and partial mirror packets on
demand.
Best regards,
Thushjandan
-----Original Message-----
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> On Behalf Of Scott Sakai
Sent: Montag, 11. Februar 2019 19:42
To: zeek at zeek.org
Subject: Re: [Zeek] Mirror the first N packets of a flow to Zeek
That largely depends on what you want to get out of Zeek, and the size of
the packets.
As an example, the packets may vary in size from 576 bytes to 1500 or 9000+
bytes. If your mirror only counts packets, not payload bytes, that's the
difference between somewhat usable data from the protocol analyzers and
garbage.
You may also want the -last- packets in the flow, in particular the fin,
fin+ack, and rst; otherwise the conn log won't have accurate information
about the flow's duration or size.
If you just need a "there was an attempted connection that probably
succeeded", then yeah, 15 packets will do. Deeper analysis requires more
data, though not necessarily all of the flow.
It seems like your switches may be able to track flows. If this is the
case, maybe see if they can also drop flows from the mirror on demand.
Zeek has the capability to say "Stop sending me this flow, I am done with
it." (implementing the flow shunting on an uncommon switch may be an
exercise for the student). In such a case, you'll still want to get Zeek the
packet headers with ack, fin, rst, so the connection tracking still works.
On 02/11/2019 01:13 AM, thushjandan.ponnudurai at id.unibe.ch wrote:
> Hi guys,
>
>
>
> I consider to evaluate Zeek for my organization. To reduce the data,
> which could accumulate if we start mirroring the traffic, my team is
> considering to not mirror the full traffic. To achieve this goal we
> have found on our Extreme Networks K- and S-Series Switches a very
> interesting feature. They are able to mirror the first few packets of
> a flow. It is possible to adjust this value. For example like the first 15
packets of a flow.
>
>
>
> Can Zeek also work well with the first 15 packets of a flow?
>
>
>
> Best regards,
>
> Thushjandan
>
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
--
Scott Sakai
Security Analyst
San Diego Supercomputer Center
ssakai at sdsc.edu
+1-858-822-0851
_______________________________________________
Zeek mailing list
zeek at zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5502 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190213/efca6c97/attachment.bin
More information about the Zeek
mailing list