Mirror the first N packets of a flow to Zeek

Hi guys,

I consider to evaluate Zeek for my organization. To reduce the data, which could accumulate if we start mirroring the traffic, my team is considering to not mirror the full traffic. To achieve this goal we have found on our Extreme Networks K- and S-Series Switches a very interesting feature. They are able to mirror the first few packets of a flow. It is possible to adjust this value. For example like the first 15 packets of a flow.

Can Zeek also work well with the first 15 packets of a flow?

Best regards,


That largely depends on what you want to get out of Zeek, and the size of
the packets.

As an example, the packets may vary in size from 576 bytes to 1500 or 9000+
bytes. If your mirror only counts packets, not payload bytes, that's the
difference between somewhat usable data from the protocol analyzers and

You may also want the -last- packets in the flow, in particular the fin,
fin+ack, and rst; otherwise the conn log won't have accurate information
about the flow's duration or size.

If you just need a "there was an attempted connection that probably
succeeded", then yeah, 15 packets will do. Deeper analysis requires more
data, though not necessarily all of the flow.

It seems like your switches may be able to track flows. If this is the
case, maybe see if they can also drop flows from the mirror on demand.
Zeek has the capability to say "Stop sending me this flow, I am done with
it." (implementing the flow shunting on an uncommon switch may be an
exercise for the student). In such a case, you'll still want to get Zeek
the packet headers with ack, fin, rst, so the connection tracking still works.

Hi Scott,

Thank you for your detailed explanation!

The switches we mentioned are actually configured as such they export
netflow-v9 information about all flows and additionally the first 15 payload
packets of each flow. So we think that with those two information sources
each flow should be fully identified.

We'll contact the switch vendor - Extreme Networks - to ask about the
possibility to stop sending flow information and partial mirror packets on

Best regards,