[Zeek] Adding flow and packet stats on conn log

jamie brim bramiejim at gmail.com
Fri Jun 26 07:39:12 PDT 2020 

if you're working with pcaps, you could possibly achieve this with a script.
there's a tcp_packet
<https://docs.zeek.org/en/current/script-reference/proto-analyzers.html#id-tcp_packet>
event
that provides the connection as well as the length of the packet.
for times, the network_time
<https://docs.zeek.org/en/current/scripts/base/bif/zeek.bif.zeek.html#id-network_time>
built
in function should help you get started.

i would be careful trying this with live traffic, you might wind up having
an unacceptable performance impact on your workers as that's a pretty
frequent event.

On Thu, Jun 25, 2020 at 3:41 AM Federico Foschini <undicizeri at gmail.com>
wrote:

> Hello,
> I'm reading a bunch of papers on interesting features for machine learning
> applied on network traffic. For example CSE-CIC (
> https://www.unb.ca/cic/datasets/ids-2018.html)
>
> My question is: is it possible to add this type of statistic on conn.log?
> - average packet size
> - minimum packet size
> - maximum packet size
> - total time between two packets
> - mean time between two packets etc.
> - etc.
>
> Reading in the documentation I saw this events
> https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek.html#id-tcp_packet but,
> as state by the documentation itself, it will lead to very poor performance.
>
> The other code I think it could be relevant is the TCP analyzer:
> https://github.com/zeek/zeek/blob/1affbad4b7b8c8cf230ded8224c9c364607b67e9/src/analyzer/protocol/tcp/TCP.cc
>
>
> I've never contributed to Zeek before and I don't know the codebase at
> all, so do you think Zeek would be capable of generating this type of
> stats? Is TCP.cc the right place to implement those features? Are there
> issues I am overlooking?
> --
> Federico Foschini.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200626/b0353638/attachment.html

More information about the Zeek mailing list