zeek-pcapovertcp-plugin

https://github.com/emnahum/zeek-pcapovertcp-plugin
4 6 0 0 Last Push 9/15/23, 5:02 PM

Zeek::PcapOverTcp

This plugin provides native PcapOverTcp support for Zeek.

For details about PcapOverTcp, see the corresponding Netresec URL

Installation

Package Manager

The plugin is available as package for the Zeek Package Manager and can be installed using the following command:

zkg install zeek-pcapovertcp-plugin

Manual Install

The following will compile and install the PcapOverTcp plugin alongside Zeek:

# ./configure && make && make install

If everything built and installed correctly, you should see this:

# zeek -NN Zeek::PcapOverTcp
Zeek::PcapOverTcp - Packet acquisition via PcapOverTcp (dynamic, version 1.0.0)
[Packet Source] PcapOverTcpReader (interface prefix "pcapovertcp"; supports live input)
[Constant] PcapOverTcp::buffer_size

Usage

Once installed, you can use PcapOverTcp interfaces/ports by prefixing them with pcapovertcp:: on the command line. For example, to use PcapOverTcp to use a local socket with port 57012:

# zeek -i pcapovertcp::127.0.0.1:57012

Usage with zeekctl

You can use the PcapOverTcp plugin with zeekctl. The following shows a sample configuration:

    [manager]
    type=manager
    host=localhost
     
    [proxy-1]
    type=proxy
    host=localhost
     
    [worker-1]
    type=worker
    host=localhost
    interface=pcapovertcp::1.2.3.4:57012
    # Optional parameters for per node configuration:
    pcapovertcp_buffer_size=128*1024*1024

    [worker-2]
    type=worker
    host=localhost
    interface=pcapovertcp::1.2.3.5:57012
    # Optional parameters for per node configuration:
    pcapovertcp_buffer_size=128*1024*1024

Note that workers must consume different streams (different IP, Port combinations). The PcapOverTcp plugin does not yet support multiple workers consuming the same stream.

Debugging the Plugin

To debug the plugin, configure with --enable-debug, as well as Zeek itself. Then when you run Zeek, add -B plugin-Zeek-PcapOverTcp to the command line to enable debugging. The resulting debug.log should show debug comments.

Advanced Configuration

While the plugin aims at providing a "plug and play" user experience, it exposes at the momement one option of the underlying API for customization (see init.zeek for the default values):

  • buffer_size: Set the overall buffer size allocated per socket.

Limitations

Acknowledgements

Thanks to Justin Azoff, Tim Wojtulewicz, Christian Kreibich, and Erik Hjelmvik for their comments and suggestions.

Package Version :

Description :

This plugin provides native PCAP over TCP support for Zeek.

Script Dir :

scripts/pcapovertcp

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Test Command :

cd tests && btest -d

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin

Description :

Provides PCAP over TCP support for Zeek.

Script Dir :

scripts

Plugin Dir :

build/Zeek_PcapOverTcp.tgz

Build Command :

./configure && make

Depends :

zeek >=4.0.0
zkg >=2.0

Tags :

pcapovertcp, pcap, zeek plugin, packet source, zeekctl plugin