I’m just starting with Zeek, but I’m somewhat frustrated because I don’t understand why I can’t see traffic from 192.168.4.163:30000 to 224.3.3.3:30000 UDP in conn.log, even though I can see it for other multicast addresses, like 192.168.4.2 to 239.255.255.250. Could someone explain this to me?
Hi,
it’s always hard to diagnose these kind of issues with more data. If you are able to create a pcap that contains traffic that you think should show up in conn.log, but doesn’t - that would be helpful.
If the traffic that you are missing originates from your local machine, it is possible that this is caused by checksum problems. If this is the case, you can tell zeek to ignore checksums with the -C flag.