Drop payload in trace file

derek · March 20, 2023, 2:42pm

Hello, I’m using command "zeek -i -w " to save my traffic to the .trace file and analyze it. Due to the storage overhead, I want to drop the payload of the packet I capture. However I have no idea how to do it :(. Could anyone help me?
Thank you so much ;}

awelzel · March 21, 2023, 10:35am

Hey @derek ,

maybe piping the pcap through scapy would work for you? Here’s a stackoverflow link. Note, that Zeek will not be immensely happy once you do that. Feel free to chime in on the following issue:

github.com/zeek/zeek

Packet and byte counts 0 - when tcp headers are truncated

opened 07:47PM - 29 Oct 22 UTC

omnidepp

Type: Enhancement Area: Protocol Analysis

Hi all, I'm trying to get flow statistics from pcaps that were recorded with a… snaplength of 54 bytes - so there's only metadata and no actual content. Also I fear, the recording was done with a lot of capture loss, so not every connections was established or closed properly, nor are all the acks present. II would still expect zeek, though, to properly count the number of orig and resp packets and (ip) bytes. In wireshark I can drill down on different flows and most contain thousands of packets. In my zeek connlogs, however, most counts are 0. I've tried to set use_conn_size_analyzer = T but this seems to be the default anyway. There's no way to influence the type or quality of the recording. Any input greatly appreciated.

Hope that helps.

Topic		Replies	Views
About selectively dumping traffic packets from specific connections during live analysis Zeek	0	280	September 28, 2023
Analysing PCAPNG files from Wireshark traffic captured with Zeek or Spicy Zeek	6	711	April 11, 2023
zeek and tcpdump packet mismatch Zeek development	5	309	December 25, 2023
Zeek traffic capture on loopback ip Zeek	6	172	April 14, 2023
TCP Replay Packet Count Zeek	4	119	May 6, 2022

Drop payload in trace file

Related Topics