Enabled Parsers with No Traffic Load

ephemeric · June 23, 2025, 12:50pm

Hi,

I apologise if this is a dumb question: if I run Zeek with all of the GitHub - cisagov/ICSNPP: Industrial Control Systems Network Protocol Parsers installed and enabled but no traffic is seen for any of the said parsers, do we still incur an extra load on Zeek?

Benjamin_Bannier · June 23, 2025, 1:26pm

Some of this depends on the exact analyzer and how it is activated.

if it is activated by a port that sees no traffic there should be almost no additional work
if it is activated by a DPD signature some work would happen in the DPD framework to (unsuccessfully) match the signature

Once a analyzer was activated by Zeek it would be fed traffic. If it is implemented correctly and there is no matching traffic it would analyze the provided data and at some point reject further input. The additional work this would incur depends on how quickly the analyzer can detect that the traffic does not match.

While you should be able to see some of this by inspecting the analyzer’s code, the safest bet is to benchmark a system with and without it on the same traffic.

ephemeric · June 23, 2025, 6:24pm

Thank you so much again for the excellent response.

Topic		Replies	Views
New Analyzer Zeek	9	161	May 6, 2022
Zeek conn.log questions Zeek	2	431	May 6, 2022
Zeek traffic capture on loopback ip Zeek	6	254	April 14, 2023
Packet Analyzer over TCP Development	2	63	December 11, 2024
Hui Lin_DNP3 analyzer not working in current version of zeek Zeek	5	92	May 6, 2022

Enabled Parsers with No Traffic Load

Related topics