Zeek filters problem

jannitand · March 10, 2026, 9:22am

Hello, I’m new to zeek so my apologies if I’m asking a nonsense question.
I’ve installed Zeek as a network monitoring tool in a network which is not under my administration.
The port mirroring in the interface zeek is listening to was configured erroneously and it is sending algo the local traffic, which I do not want to analyze.
My filter looks like this in /opt/zeek/share/zeek/site/local.zeek

redef restrict_filters = {

 ["avoid local traffic"] = "not (dst net 172.16.0.0/12 or dst net 192.168.0.0/16 or dst net 10.0.0.0/8) and not (src net 172.16.0.0/12 or src net 192.168.0.0/16 or src net 10.0.0.0/8)",

};

But still is capturing local traffic
What Am I doing wrong?
Thank you!

johanna · March 12, 2026, 5:11pm

Hi @jannitand,

on a first glance, your filter syntax looks correct to me - and should indeed achieve what you want to accomplish.

how are you acquiring packets? Is Zeek listening directly to interfaces, or are you using something like AF_PACKET to ingest packets?

If you are using AF_PACKET, or similar, I think the bpf filter will not be used as the method of packet capture completely bypasses the normal packet processing pipeline.

Topic		Replies	Views
Zeek 2.6.1 - packet_filter - unable to filter out traffic Zeek	1	222	May 6, 2022
Filtering help Zeek	11	1563	May 6, 2022
Error with filters Zeek	2	125	May 6, 2022
Help，About Packet Filter Zeek	3	164	May 6, 2022
Error with filters Zeek	1	146	May 6, 2022

Zeek filters problem

Related topics