I’m trying to run this Zeek command in Docker to generate zeek logs from a .pcap file using the following command:
sudo docker run blacktop/zeek -r “/home/loris/Desktop/TESI/2023-04-13-MetaStealer-C2-traffic.pcap” local “Log::default_rotation_interval = 1 day”.
However, I’m getting the following error message: fatal error in <params>, line 1: problem with trace file /home/loris/Desktop/TESI/2023-04-13-MetaStealer-C2-traffic.pcap. I’ve checked that the path of the file is correct and that it exists with read permissions. What could be causing this error and how can I fix it?
I’m on Manjaro btw.
The args -r ... you pass to docker run will be arguments to zeek process which will be started in the container. Unless you configured your Docker to automatically mount host directories into the container, the path to the PCAP on the host probably matches to no file in the container, and you need to explicitly mount it, e.g.,
docker run -v /home/loris/Desktop/TESI:/TESI blacktop/zeek \
-r /TESI/2023-04-13-MetaStealer-C2-traffic.pcap \
local \
“Log::default_rotation_interval = 1 day”
That being said, at least the published version of blacktop/zeek seems unmaintained and outdated since it uses an unsupported version of Zeek, and I would suggest you use e.g., the upstream container if possible. The major difference is that the upstream container does not set the entrypoint to zeek, but you can do that yourself:
docker run -v /home/loris/Desktop/TESI:/TESI zeek/zeek \
zeek \
-r /TESI/2023-04-13-MetaStealer-C2-traffic.pcap \
local \
“Log::default_rotation_interval = 1 day”