When I run a PCAP though the the Zeek command it parses the pcap and creates the logs as intended. However, when I use a packet replay tool to play the packets over a monitored interface it does not parse the pcap. I can see the PCAP on the interface with wireshark, and wireshark parses it correctly. I can also see the traffic in Conn.logs, but never get the parsed logs outputted. Zeek shows that the scripts loaded. I do not know if this is just a capability/functionality issue, or if this is an actual bug. It is also possible that it is specific to only replayed packets. I do not have actual live ICS traffic that I can monitor, so I need to make sure that it does in fact work at parsing live traffic.
🐛 Summary
When I run a PCAP though the the Zeek command it parses the pcap and creates the logs as intended. However, when I use a packet replay tool to play the packets over a monitored interface it does not parse the pcap. I can see the PCAP on the interface with wireshark, and wireshark parses it correctly. I can also see the traffic in Conn.logs, but never get the parsed logs outputted. Zeek shows that the scripts loaded. I do not know if this is just a capability/functionality issue, or if this is an actual bug. It is also possible that it is specific to only replayed packets. I do not have actual live ICS traffic that I can monitor, so I need to make sure that it does in fact work at parsing live traffic.