Proper way to run zeek without port mirroring?

luxfx · March 9, 2025, 10:44pm

I’m interested in monitoring my network with zeek. I’m new at all of this, just self learning in my homelab.

I’d like zeek to analyze everything going through my router. However from what I’ve gathered, my CCR2004 doesn’t have a switch chip, so I can’t use port mirroring, which seems like the preferred way of using zeek.

What is the proper alternative for my router? ChatGPT suggests either using a bridge filter with a ‘mirror’ action, or running a sniffer. Winbox doesn’t give me ‘mirror’ as an action option so that could just be ChatGPT hallucinating. Sniffing seems to be something I have to run manually, so I think it wouldn’t survive a reboot.

I could use trafficflow, I’ve done that before, but from what I understand it’s just sending a summary and would hobble the functionality of zeek.

Any suggestions?

panisk0 · March 9, 2025, 11:46pm

You could use mange rule:

/interface/bridge/settings/set use-ip-firewall=yes
/ip/firewall/mangle add action=sniff-tzsp chain=forward in-interface=bridge sniff-target=10.10.10.10 sniff-target-port=37006

luxfx · March 11, 2025, 7:56pm

Would tzsp wrapped packets have as much information as a full mirror, or would it be more limited like a TrafficFlow / NetFlow setup?

panisk0 · March 12, 2025, 7:12am

https://en.wikipedia.org/wiki/TZSP

full encapsulated

for zeek it may be necessary to use
https://github.com/thefloweringash/tzsp2pcap