[Zeek] Adding flow and packet stats on conn log

Federico Foschini undicizeri at gmail.com
Thu Jun 25 00:37:41 PDT 2020


Hello,
I'm reading a bunch of papers on interesting features for machine learning
applied on network traffic. For example CSE-CIC (
https://www.unb.ca/cic/datasets/ids-2018.html)

My question is: is it possible to add this type of statistic on conn.log?
- average packet size
- minimum packet size
- maximum packet size
- total time between two packets
- mean time between two packets etc.
- etc.

Reading in the documentation I saw this events
https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek.html#id-tcp_packet
but,
as state by the documentation itself, it will lead to very poor performance.

The other code I think it could be relevant is the TCP analyzer:
https://github.com/zeek/zeek/blob/1affbad4b7b8c8cf230ded8224c9c364607b67e9/src/analyzer/protocol/tcp/TCP.cc


I've never contributed to Zeek before and I don't know the codebase at all,
so do you think Zeek would be capable of generating this type of stats? Is
TCP.cc the right place to implement those features? Are there issues I am
overlooking?
-- 
Federico Foschini.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200625/7f65472c/attachment-0001.html 


More information about the Zeek mailing list