Practical Limitations for Packet-Filter Framework

Greetings Zeekers,

Curious if anyone can tell me what are the practical limitations for using Packet-Filter BPF filtering in Zeek. I’m thinking it may just be available memory but am not sure. Asking because I may want to enter a couple hundred thousand /32 addresses and a couple thousand /24 addresses as “not” rules for Zeek to ignore but I am wondering if this is practical?


There are some performance issues with compiling large packet filters, as reported in Zeek deals poorly with long `pcap_compile()` times · Issue #2457 · zeek/zeek · GitHub. It’s mostly an issue at startup though. Once Zeek finishes compiling the filters, the actual performance of the filters should be fine.

Thanks for the info Tim, appreciated.