Skip to content
/ zeek-tcpreplay-kafka Public

A Docker image with tcpreplay streaming a pcap to a dummy NIC, monitored by Zeek, which sends its output to Apache Kafka.

License

MIT license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

berthayes/zeek-tcpreplay-kafka

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.vscode
.vscode
 
 
.gitattributes
.gitattributes
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
init_dummy.sh
init_dummy.sh
 
 
local.zeek
local.zeek
 
 
send-to-kafka.zeek
send-to-kafka.zeek
 
 

Repository files navigation

Streaming Zeek Events to Apache Kafka

This is a Docker image based on the slim Debian 10 image with the addition of tcpreplay, Zeek 3.1.1, and librdkafka.

This image does a few things when it starts up:

  • Brings up a dummy0 network interface
  • Starts an instance of tcpreplay that
    • Replays /pcaps/zeek_streamer.pcap
    • Sends the replayed packets to dummy0
  • Starts an instance of Zeek that
    • monitors dummy0
    • sends its output as JSON to an Apache Kafka broker

Zeek is configured to send its output to a host named broker.

Why tcpreplay?

There are a few other (better) Docker images out there that can use Zeek to read pcaps and send the output to Apache Kafka.

This one uses tcpreplay to read a pcap and stream it in real-time as its original pace instead of all at once. In other words, if it took six hours to generate your 100MB pcap, this will stream those packets at their original rate over the course of those six hours. In this way, streaming Zeek events stream into Apache Kafka at their original rate.

This Docker image is also (maybe) unique in that it uses a dummy0 network interface, so you can replay all kinds of nasty garbage without causing actual harm to network admins.

Examples

Specify your broker host, run from your current working directory with a file named zeek_streamer.pcap at ./pcaps/zeek_streamer.pcap

docker run -it \
-v `pwd`/pcaps/:/pcaps \
--cap-add=NET_ADMIN \
--add-host broker:192.168.1.108 \
bertisondocker/zeek-tcpreplay-kafka:latest

Or, run with your own local.zeek and send-to-kafka.zeek files:

docker run -it \
-v `pwd`/pcaps/:/pcaps \
-v `pwd`/local.zeek:/usr/local/zeek/share/zeek/site/local.zeek \
-v `pwd`/send-to-kafka.zeek:/usr/local/zeek/share/zeek/site/send-to-kafka.zeek \
--cap-add=NET_ADMIN \
--add-host broker:192.168.1.108 \
bertisondocker/zeek-tcpreplay-kafka:latest

Streaming your own packet captures

This image is designed to start automatically replaying the file /pcaps/zeek_streamer.pcap

$ ls pcaps/
heavy_dns.pcap		zeek_streamer.pcap

So if you already have a file named zeek_streamer.pcap as above, then you're all set. If your pcap isn't (or wasn't) named zeek_streamer.pcap when you started, you can still feed it to Zeek and have the results stream to Kafka.

Since ./pcaps/ is a bind mount to /pcaps in the docker image :

docker exec -d <CONTAINER ID> /usr/bin/tcpreplay -i dummy0 /pcaps/heavy_dns.pcap

About

A Docker image with tcpreplay streaming a pcap to a dummy NIC, monitored by Zeek, which sends its output to Apache Kafka.

Topics

docker zeek tcpreplay

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages