zeek-af_packet-plugin
zeek-af_packet-plugin copied to clipboard
zeek
Plugin providing native AF_Packet support for Zeek.
When users encounter a hiccup in the configuration/use of an interface, they often see the message `problem with interface af_packet::XYZ (Invalid argument)`. Two improvements would be nice: - More context...
Something strange was going on with #57. Github says it's merged but somehow the changes didn't make it into master.
Previously only a subset of config options was available via zeekctl.
Okay, this might be naive. Both Suricata and the AF_PACKET example [1] keep the block descriptor offsets in a separately allocated table as well. From all I can tell, that...
When monitoring `lo` using AF_PACKET apparently all packets are seen twice: Once as incoming and once as outgoing packets. I ran into this monitoring local HTTP traffic using curl/nginx just...
Using the docker image, it might be possible to implement some basic testing using `tcpreplay`. The tests could be realized as optional btests so that they don't mess up installation...
Steps to reproduce: 1. Start a Zeek worker(s) using the af_packet plugin 2. Restart networking 3. See that the worker CPU usage goes to 100% and the worker(s) stops receiving...
The ring layout still uses a magic value. Other approaches take the MTU to determine a suitable block size (using `TPACKET_ALIGN` for alignment).