NIC tweaks

Normally, Zeek's event engine will discard packets which don't have valid checksums. This can be a problem if one wants to analyze locally generated/captured traffic on a system that offloads checksumming to the network adapter. In that case, all transmitted/captured packets will have bad checksums because they haven't yet been calculated by the NIC, thus such packets will not undergo analysis defined in Zeek policy scripts as they normally would. Bad checksums in traces may also be a result of some packet alteration tools.

A solution to that is to disable checksum offloading for your network adapter, but this is not always possible or desirable. Disable checksum offloading on the NIC using ethtool --offload <int> rx off tx off so the correct checksums are generated to begin with. Replacing <int> with the name of your interface.

Other tweaks to be made at the NIC level is to disable WOL and to increase the RX and TX ring parameters to higher values (for example 4096), both for RX and TX:

ethtool -s <int> wol d
ethtool -G <int> rx 4096 tx 4096

Test whether Zeek is capturing all data

 cat capture_loss.log | bro-cut -d percent_lost
0.027187
0.186245
0.009625
0.180055
0.009548

If the percent_lost is more than 1% then something is not right. One of the issue we have seen is default setting of ethernet card which can be changed through ethtool. Full explanation is here: https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

ethtool -K eth0 rx off
ethtool -K eth0 tx off
ethtool -K eth0 sg off
ethtool -K eth0 tso off
ethtool -K eth0 ufo off
ethtool -K eth0 gso off
ethtool -K eth0 gro off
ethtool -K eth0 lro off

It is better to check the default value first and then change one parameter at a time.