Zeek doesn't analyse TX pkts

Zeek
1

Hello,
I guess I am doing something wrong but I don’t know what.
I am trying to run zeek (5.0.10) with a simple minimal configuration.

node.cfg:

[zeek]
type=standalone
host=localhost
interface=ens192

ens192 is my only iface. It has an IP and is able to curl the internet.

local.zeek:

@load base/frameworks/logging/writers/ascii
@load base/protocols/conn
@load base/protocols/http
@load policy/tuning/json-logs.zeek

When I do some curls to google and inspect pkts in conn.log
I see all entries with “orig_pkts: 0”.
I only see resp_pkts different fro zero

It seems that zeek only analyze RX packets not TX packets
tcpdump sees those packets though.

Anyone has an idea?

2

Hey @Lamorale , mostly as a guess, do you see the following message in reporter.log?

Your interface is likely receiving invalid TCP and UDP checksums,
most likely from NIC checksum offloading. By default, packets with
invalid checksums are discarded by Zeek unless using the -C command-line
option or toggling the 'ignore_checksums' variable. 
Alternatively, disable checksum offloading by the network adapter to ensure
Zeek analyzes the actual checksums that are transmitted.

An concrete example of the conn.log entries with IPs anonymized if needed would also be valuable.

Can you try putting redef ignore_checksums=T into local.zeek and see if this changes things? Or better, disable checksum offloading on the interface if that is the culprit.

If you run tcpdump with -v, what does the checksum part say?

$ tcpdump -n -v -i ens192
...
Flags [P.], cksum 0xe535 (correct)
Flags [.], cksum 0xdd7e (incorrect -> 0xc476),

If it’s checksum issues for you (too), maybe we should print a big banner if that happens :slight_smile:

3

Thanks for the “disable checksum” tips, that was exacty the problem :slight_smile: