zeek and tcpdump packet mismatch

biswa61 · October 19, 2023, 4:18pm

Hi,
I am facing an issue while running zeek on an interface and writing it to a file. The almost same issue I am getting in case of tcpdump as well. tcpdump is showing 10000 packets received but when I am trying to write in pcap file it is showing only 10-12 packets and zeek is showing 2-4 packets. I checked that many of thsese packets I am receiving in the interface are having invalid checksums, I have tried after disabling it both NIC ( ethtool -K eth0 rx/tx off), and also tried to pass -C argument in zeek and --dont-verify-checksums in tcpdump, but the issue persists.

Anything I am missing here?

##################################################################################
TCPDUMP without writing to file

[root@root]# tcpdump -i eth0 --dont-verify-checksums -n
14:31:04.993181 IP 10.10.0.33.57626 > 10.20.0.51.ssh: Flags [.], ack 248560, win 12922, options [nop,nop,TS val 1405576758 ecr 231651561], length 0
14:31:04.993183 IP 10.10.0.33.57626 > 10.20.0.51.ssh: Flags [.], ack 248656, win 12922, options [nop,nop,TS val 1405576758 ecr 231651561], length 0
14:31:04.993185 IP 10.10.0.33.57626 > 10.20.0.51.ssh: Flags [.], ack 248736, win 12922, options [nop,nop,TS val 1405576758 ecr 231651561], length 0
14:31:04.993187 IP 10.10.0.33.57626 > 10.20.0.51.ssh: Flags [.], ack 248832, win 12922, options [nop,nop,TS val 1405576758 ecr 231651561], length 0
14:31:04.993190 IP 10.10.0.33.57626 > 10.20.0.51.ssh: Flags [.], ack 248896, win 12922, options [nop,nop,TS val 1405576758 ecr 231651561], length 0
14:31:05.682176 IP 10.10.0.33.57626 > 10.20.0.51.ssh: Flags [P.], seq 1:49, ack 248896, win 12922, options [nop,nop,TS val 1405577447 ecr 231651561], length 48
^C
5984 packets captured
6024 packets received by filter
40 packets dropped by kernel

################################################################################
TCPDUMP with writing to file
[root@root]# tcpdump -i eth0 --dont-verify-checksums -w test.pcap
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C8 packets captured
10 packets received by filter
0 packets dropped by kernel

##########################################################################
RUNNING ZEEK and dumping to a file (same behavior with -w option as well)

[root@root]# /mnt/DPI/zeek/broker/bin/zeek -Ci eth0 -w Test.pcap
listening on eth0

^C1697639492.006355 received termination signal
1697639492.006355
4 packets received on interface eth0, 0 (0.00%) dropped, 0 (0.00%) not processed

Thanks.
Biswa