Practical Limitations for Packet-Filter Framework

greg · May 1, 2023, 4:33pm

Greetings Zeekers,

Curious if anyone can tell me what are the practical limitations for using Packet-Filter BPF filtering in Zeek. I’m thinking it may just be available memory but am not sure. Asking because I may want to enter a couple hundred thousand /32 addresses and a couple thousand /24 addresses as “not” rules for Zeek to ignore but I am wondering if this is practical?

Thank!

Tim_Wojtulewicz · May 1, 2023, 4:36pm

There are some performance issues with compiling large packet filters, as reported in Zeek deals poorly with long `pcap_compile()` times · Issue #2457 · zeek/zeek · GitHub. It’s mostly an issue at startup though. Once Zeek finishes compiling the filters, the actual performance of the filters should be fine.

greg · May 1, 2023, 4:53pm

Thanks for the info Tim, appreciated.

Greg

Topic		Replies	Views
getting Too_Long_To_Compile_Filter notice Zeek	1	104	May 6, 2022
Zeek BPF Limitations Zeek	17	772	October 7, 2022
Noise Protocol Framework. Zeek	2	115	May 6, 2022
BPF Segmentation Fault Zeek	4	196	May 6, 2022
Help，About Packet Filter Zeek	3	133	May 6, 2022

Practical Limitations for Packet-Filter Framework

Related topics