Hi Zeek-devs,
I need to do some analysis on TCP flags and the event “tcp_packet” perfectly fits my needs. However, as stated in Zeek’s documentation, using this event may significantly affect Zeek’s performance, given the high number of TCP packets to look into.
Is there any other way to look into TCP flags? Would bypassing scriptland and modifyng directly the C++ code be more efficient (though not the “proper” way to do it)?
Thanks in advance,
Mauro
I need to do some analysis on TCP flags and the event “tcp_packet” perfectly fits my needs. However, as stated in Zeek’s documentation, using this event may significantly affect Zeek’s performance, given the high number of TCP packets to look into.
Is there any other way to look into TCP flags?
No other script-only method comes to mind.
Would bypassing scriptland and modifyng directly the C++ code be more efficient (though not the “proper” way to do it)?
Generally, yes.
You could always do a quick measurement of whether handling just an
empty "tcp_packet" event is prohibitive for you use-case. If it's
not, then some other factors to help decide whether to proceed further
with script-only vs. C++ implementation might be:
(1) Length of time it would take to fully implement and test the
script-only solution. If it's a lot of effort, might be worth just
starting from a C++ implementation.
(2) Whether you plan to share this work w/ the wider community or it
just needs to work for your particular case (for the later a less
performant, script-only solution is more acceptable).
- Jon
Another consideration to think about is whether you can run against a pcap offline, or if you need realtime analysis. For offline analysis you can turn off all policies except the one you’re particularly interested in.
Hi Jon,
thanks. This is what I thought. We need to evaluate realtime traffic, not offline traffic.
I'll think about which way is better for us.
Mauro
-----Messaggio originale-----