I am pleased to announce the release of zeek-dag v0.4, a Zeek packet source plugin for live capture from Endace DAG cards, or in EndaceProbe ApplicationDock. This release supports Bro 2.6 through Zeek 4.0 and supersedes the bro-dag plugin.
https://github.com/endace/zeek-dag
The plugin is available via zkg; note you need to have a DAG card and software installed (available with registration at the support portal https://www.endace.com/support).
Using zkg:
zkg refresh
zkg remove bro-dag (if previously installed)
zkg install endace/zeek-dag
zeek -i endace::dag0:0
The first number is the DAG card index, and the second number is the stream number on that card.
In our experience this plugin provides the best capture performance on DAG cards. The zeek-dag README covers example node.cfg for hardware flow balancing across multiple workers (see github above).
An alternative method for live capture using DAG cards in Zeek is libpcap.
If libpcap is compiled on a system with DAG software installed, it will support capture from DAG devices with full kernel bypass. Using Zeek’s native pcap packet source and linking with the correct libpcap library:
zeek -i dag0:0
Dr Stephen Donnelly
CTO