I am thinking about using the zeek package for pfsense to monitor all routed traffic, and knowingly ignoring all unrouted traffic that stays local to a collision domain.
The rationale is that I am interested in traffic crossing networks while not interested traffic staying confined in the VLAN where the traffic originates.
At the same time I am hoping that this brings down the ressource requirements for zeek to perform properly, since it doesn’t need to capture everything as it would need to do when connected to a span port.
Do we have people here with experience in running zeek in such a setup?
What is your estimate of what are the additional requirements for CPU cores, GBs of RAM and SSD storage on top of what pfSense is requiring for itself?
My setup would be pfSense router with 2x 1Gbps interfaces, 1 for the traffic to be routed and filtered, and 1 for managing the pfSense machine.
I am currently using a Qotom with:
- CPU: i7 2C 4T
- NIC: 6x 1GBps Intel
- RAM: 4GB
- Storage: 50GB SSD
Would there still be enough room to run zeek next to pfSense on this machine? If not, how many additional cores would I need, how much more RAM and SSD storage?
I understand that this also depends on the traffic mix and amount of traffic I have. This is just a home lab with lots of segregated VLANs - so there is clearly more traffic going through the router than you would see in a flat homelab network.