I am working on a Zeek script and would like to understand how can I make Zeek look only for the first ten packets in a tcp session.The first ten packets are enough to fingerprint the traffic I am trying to identify and so would to ensure my script also looks at only the first 10 packets to save processing time.
The communication is as follows :
There is the initial 3 way handshake and then there are 7 packets with variable lengths and on a non-default destination port/service. So I had to use the tcp_packet event in my script. Is there a better way of doing it ? Using tcp_packet would make my script to check for all tcp packets increasing the load on my zeek system.
Please do let me know if you have any suggestions for me on this. Looking forward to your response.