This plugin provides native PcapOverTcp support for Zeek.
For details about PcapOverTcp, see the corresponding Netresec URL
The plugin is available as package for the Zeek Package Manager and can be installed using the following command:
zkg install zeek-pcapovertcp-plugin
The following will compile and install the PcapOverTcp plugin alongside Zeek:
# ./configure && make && make install
If everything built and installed correctly, you should see this:
# zeek -NN Zeek::PcapOverTcp Zeek::PcapOverTcp - Packet acquisition via PcapOverTcp (dynamic, version 1.0.0) [Packet Source] PcapOverTcpReader (interface prefix "pcapovertcp"; supports live input) [Constant] PcapOverTcp::buffer_size
Once installed, you can use PcapOverTcp interfaces/ports by prefixing them with
pcapovertcp:: on the command line. For example, to use PcapOverTcp to use a local socket with port 57012:
# zeek -i pcapovertcp::127.0.0.1:57012
You can use the PcapOverTcp plugin with
zeekctl. The following shows a sample configuration:
[manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=pcapovertcp::126.96.36.199:57012 # Optional parameters for per node configuration: pcapovertcp_buffer_size=128*1024*1024 [worker-2] type=worker host=localhost interface=pcapovertcp::188.8.131.52:57012 # Optional parameters for per node configuration: pcapovertcp_buffer_size=128*1024*1024
Note that workers must consume different streams (different IP, Port combinations). The PcapOverTcp plugin does not yet support multiple workers consuming the same stream.
Debugging the Plugin
To debug the plugin, configure with
--enable-debug, as well as Zeek itself. Then when you run Zeek, add
-B plugin-Zeek-PcapOverTcp to the command line to enable debugging. The resulting
debug.log should show debug comments.
While the plugin aims at providing a "plug and play" user experience, it exposes at the momement one option of the underlying API for customization (see init.zeek for the default values):
buffer_size: Set the overall buffer size allocated per socket.
Thanks to Justin Azoff, Tim Wojtulewicz, Christian Kreibich, and Erik Hjelmvik for their comments and suggestions.