Hi Michal,
We’re working with Zeek on the same project as Paul and have opted to use Zeek within a Docker container since it works better for our workflow. It’s my first time using AF_PACKET, so it would be nice to have a second set of eyes from you on it if you don’t mind 
I’ve bridged all interfaces that need to be analyzed:
https://github.com/cybera/jsp-zeek/blob/master/host/60-zeek-bridge.yaml
Then I’ve disabled hardware features on the NIC, which is done on each boot: https://github.com/cybera/jsp-zeek/blob/master/host/ethtool.sh
Using “interface=af_packet::br0”, and pinning CPUs for the workers, manager, and proxy: https://github.com/cybera/jsp-zeek/blob/master/docker/files/etc/node.cfg
We don’t have a ton of traffic being analyzed yet, but want to make sure we have a decent setup for when we start ingesting more data. I’ve pieced this together from various Zeek articles I’ve read, so hopefully it’s not too much of a Frankenstein’s Monster 
Any help would be appreciated!
Cheers,
Andrew