This plugin provides native PcapOverTcp support for Zeek.
For details about PcapOverTcp, see the corresponding Netresec URL
The plugin is available as package for the Zeek Package Manager and can be installed using the following command:
zkg install zeek-pcapovertcp-plugin
The following will compile and install the PcapOverTcp plugin alongside Zeek:
# ./configure && make && make install
If everything built and installed correctly, you should see this:
# zeek -NN Zeek::PcapOverTcp
Zeek::PcapOverTcp - Packet acquisition via PcapOverTcp (dynamic, version 1.0.0)
[Packet Source] PcapOverTcpReader (interface prefix "pcapovertcp"; supports live input)
[Constant] PcapOverTcp::buffer_size
Once installed, you can use PcapOverTcp interfaces/ports by prefixing them with pcapovertcp::
on the command line. For example, to use PcapOverTcp to use a local socket with port 57012:
# zeek -i pcapovertcp::127.0.0.1:57012
You can use the PcapOverTcp plugin with zeekctl
. The following shows a sample configuration:
[manager]
type=manager
host=localhost
[proxy-1]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=pcapovertcp::1.2.3.4:57012
# Optional parameters for per node configuration:
pcapovertcp_buffer_size=128*1024*1024
[worker-2]
type=worker
host=localhost
interface=pcapovertcp::1.2.3.5:57012
# Optional parameters for per node configuration:
pcapovertcp_buffer_size=128*1024*1024
Note that workers must consume different streams (different IP, Port combinations). The PcapOverTcp plugin does not yet support multiple workers consuming the same stream.
To debug the plugin, configure with --enable-debug
, as well as Zeek itself. Then when you run Zeek, add -B plugin-Zeek-PcapOverTcp
to the command line to enable debugging. The resulting debug.log
should show debug comments.
While the plugin aims at providing a "plug and play" user experience, it exposes at the momement one option of the underlying API for customization (see init.zeek for the default values):
buffer_size
: Set the overall buffer size allocated per socket.
Thanks to Justin Azoff, Tim Wojtulewicz, Christian Kreibich, and Erik Hjelmvik for their comments and suggestions.