Hi folks, I am currently struggling how to analyse single big (500MB-1GB+) pcap file with zeek in a short time. I am using standalone mode of zeek and with this command: zeek -Cr sample_500MB.pcap local it took about 1.40min which is a bit too long for my needs…
What do you advise, how can I get zeek -r multithreadded behaviour like? Documentation says, use cluster with several workers (even on one node) but I am not sure if you can read pcap in cluster mode? Another option is tcpreplay and let workers generate logs in cluster mode?
So what do you guys advise, I am doing only offline pcap analysis with single 500+MB pcap and zeek should use ideally 4-6 cores instead of one.
Thank you.