Zeek with tcpreplay

trong · July 14, 2025, 10:57am

"Hi everyone,

I’m using Zeek version 6.0.2-1.el9.x86_64, and I’m trying to use tcpreplay in combination with Zeek.

I’ve set up two machines on the same network:

One machine runs tcpreplay with a .pcap file
The other runs Zeek to capture and analyze the traffic

However, I noticed that Zeek does not generate any log files (e.g., http.log or conn.log) while it’s running.
The logs only appear after I stop Zeek using zeekctl stop.

Is there a way to make Zeek write logs in real time without needing to stop it?

Thanks!"

[root@localhost ~]# tcpreplay -i ens192 -M 10 simulated_http_eth.pcap 
Actual: 8 packets (629 bytes) sent in 0.000515 seconds
Rated: 1221359.2 Bps, 9.77 Mbps, 15533.98 pps
Flows: 3 flows, 5825.24 fps, 8 unique flow packets, 0 unique non-flow packets
Statistics for network device: ens192
        Successful packets:        8
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

[root@localhost current]# ll
total 92
-rw-r--r-- 1 root root  3096 Jul 14 19:47 broker.log
-rw-r--r-- 1 root root  2506 Jul 14 19:47 cluster.log
-rw-r--r-- 1 root root 51266 Jul 14 19:46 loaded_scripts.log
-rw-r--r-- 1 root root     0 Jul 14 19:46 packet_filter.log
-rw-r--r-- 1 root root     0 Jul 14 19:47 stats.log
-rw-r--r-- 1 root root   492 Jul 14 19:46 stderr.log
-rw-r--r-- 1 root root   204 Jul 14 19:46 stdout.log
-rw-r--r-- 1 root root 20904 Jul 14 19:47 telemetry.log
-rw-r--r-- 1 root root     0 Jul 14 19:47 weird.log

simulated_http_eth.pcap (781 Bytes)

trong · July 16, 2025, 10:32am

I found answer myself, if anyone have the same question, please check it out

github.com/zeek/zeek

Log messages may be buffered indefinitely

opened 03:42PM - 05 Feb 20 UTC

closed 05:42PM - 07 Feb 20 UTC

JustinAzoff

Area: Broker Area: Logging

`Manager::PublishLogWrite` contains this code: if ( lb.message_count >= l…og_batch_size || (network_time - lb.last_flush >= log_batch_interval ) ) statistics.num_logs_outgoing += lb.Flush(bstate->endpoint, log_batch_size); Which flushes the outbound log buffers if more than `log_batch_size` message have been published or if the last flush was more than `log_batch_interval` old. If 2+ messages are received back to back, the first one will be logged because `network_time - lb.last_flush >= log_batch_interval` is true, but the 2nd message will be buffered. If there are no additional messages, the queue will never be flushed. This can easily happen on a log stream that is not very active, but might see bursts of logs, like `intel` or `notice`. Calling `Broker::__flush_logs()` periodically can fix this. I also couldn't see where last_flush is ever initialized to something, so this might also cause weird behavior.

awelzel · July 18, 2025, 8:44am

Hey @trong - there’s also something off with the HTTP connection in your pcap - supposedly there should just be a single connection contained, but the syn/ack packet is between 1.73.137.2 and 1.73.137.2, rather than 58.186.9.210 and 1.73.137.2. Did you construct that on purpose? There’s also weird.log entries due to that. It probably causes some timeout behavior that prevents immediate logging of the log entries, but they should eventually be produced even when using tcpreplay.

$ zeek -D -C -r Downloads/simulated_http_eth.pcap LogAscii::use_json=T
$ jq < conn.log 
{
  "ts": 1752489579.271168,
  "uid": "CRdT6w4PA64qWKmBk3",
  "id.orig_h": "1.73.137.2",
  "id.orig_p": 33308,
  "id.resp_h": "1.73.137.2",
  "id.resp_p": 80,
  "proto": "tcp",
  "conn_state": "OTH",
  "missed_bytes": 0,
  "history": "^h",
  "orig_pkts": 0,
  "orig_ip_bytes": 0,
  "resp_pkts": 1,
  "resp_ip_bytes": 40
}
{
  "ts": 1752489579.269891,
  "uid": "CJKFoj4bpHEhTeaRoj",
  "id.orig_h": "58.186.9.210",
  "id.orig_p": 33308,
  "id.resp_h": "1.73.137.2",
  "id.resp_p": 80,
  "proto": "tcp",
  "service": "http",
  "duration": 0.006743907928466797,
  "orig_bytes": 111,
  "resp_bytes": 86,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "SADdFf",
  "orig_pkts": 5,
  "orig_ip_bytes": 311,
  "resp_pkts": 2,
  "resp_ip_bytes": 166
}

trong · July 18, 2025, 9:02am

@awelzel
thanks for the reply,

I encountered the same errors with this PCAP file. I tried using tcpreplay, and I expected the logs to be created on the second replay. However, the logs only appeared after I replayed the file for the third time. So on , I cannot setup timeout for this process @@
tc19-get-full.pcap (1.6 KB)

trong · July 18, 2025, 9:07am

oh im using cluster mode btw

Topic		Replies	Views
TCP Replay Packet Count Zeek	4	187	May 6, 2022
How to control when bro logs events Zeek	1	95	May 6, 2022
about logs Zeek	1	68	May 6, 2022
TCP Packets not getting logged Zeek	2	149	May 6, 2022
event q. Zeek	1	88	May 6, 2022

Zeek with tcpreplay

Related topics