Zeek Installation and Configuration

Running Open-Source Libraries and Applications with Napatech SmartNICs

Platform
Napatech SmartNIC
Content Type
Application Note
Capture Software Version
Link™ Capture Software 12.11

Download, install Zeek with Napatech support and configure Zeek using libpcap.

Before you begin

Make sure that you have completed the following:

About this task

This procedure describes commands to download, install Zeek with Napatech support and configure Zeek using libpcap.
Note: It is also possible to use Zeek with Napatech's native interfaces. You can find the latest zeek-napatech plugin and the installation/configuration instructions at https://github.com/napatech/zeek_plugin.

Procedure

  1. Download the package or clone. In this example, the 4.0.3 release is used:
    wget https://download.zeek.org/zeek-4.0.3.tar.gz
    tar xzvf zeek-4.0.3.tar.gz
    cd zeek-4.0.3/
    Or
    git clone --recursive https://github.com/zeek/zeek
  2. Configure Zeek to enable Napatech support and prepare compilation.
    ./configure  --prefix=/opt/napatech3 \
     --with-pcap=/opt/napatech3
  3. Build and install Zeek.
    make
    make install
  4. Edit the /opt/napatech3/etc/node.cfg file according to your specific configuration to use the Napatech interfaces. The default Zeek configuration is stored in the /opt/napatech3/etc/node.cfg file.
    This example sets up 2 worker nodes that listen on the Napatech pcap devices napa0 and napa1.
    # Example ZeekControl node configuration.
    #
    # This example has a standalone node ready to go except for possibly changing
    # the sniffing interface.
    
    # This is a complete standalone configuration.  Most likely you will
    # only need to change the interface.
    #[zeek]
    #type=standalone
    #host=localhost
    #interface=eth0
    
    ## Below is an example clustered configuration. If you use this,
    ## remove the [zeek] node above.
    
    #[logger-1]
    #type=logger
    #host=localhost
    #
    [manager]
    type=manager
    host=localhost
    #
    [proxy-1]
    type=proxy
    host=localhost
    #
    [worker-1]
    type=worker
    host=localhost
    interface=napa0
    #
    [worker-2]
    type=worker
    host=localhost
    interface=napa1
    
    This configuration works with the default /opt/napatech3/config/ntpcap.ini file. See DN-0428 for more information about the Napatech libpcap configuration and the ntpcap.ini file.
  5. Start ntservice if it is not running.
     /opt/napatech3/bin/ntstart.sh
    An output example:
    Loading nt3gd driver                                        [Done]
    Creating driver device file                                 [Done]
    Loading nt3gd_netdev driver                                 [Done]
    Creating driver device file                                 [Done]
    Starting NTService (this may take a while)                  [Done]
  6. Start the ZeekControl shell, zeekctl.
    /opt/napatech3/bin/zeekctl
    An output example:
    Hint: Run the zeekctl "deploy" command to get started.
    
    Welcome to ZeekControl 2.3.0
    
    Type "help" for help.
    
    [ZeekControl] >
  7. Perform an initial installation of the ZeekControl.
    [ZeekControl] > install
    An output example:
    creating policy directories ...
    installing site policies ...
    generating cluster-layout.zeek ...
    generating local-networks.zeek ...
    generating zeekctl-config.zeek ...
    generating zeekctl-config.sh ...
    To validate the configuration, run the check command.
    [ZeekControl] > check
    An output example:
    manager scripts are ok.
    proxy-1 scripts are ok.
    worker-1 scripts are ok.
    worker-2 scripts are ok.
  8. Start up Zeek instances.
    [ZeekControl] > start
    An output example:
    starting manager ...
    starting proxy-1 ...
    starting worker-1 ...
    starting worker-2 ...