Intel's DPDK is a mature, highly-optimized library for fast packet capture and generation. This plugin allows the Zeek Network Security Monitor to use it.
Install Zeek and zkg, and configure zkg.
Installing the DPDK libraries and kernel module differs based on your distribution:
sudo apt install dpdkDPDK ships with a helper script, which makes it easy to bind your network card. Start by viewing the current status:
$ dpdk-devbind.py --status
Network devices using kernel driver
===================================
0000:00:05.0 'Elastic Network Adapter (ENA) ec20' if=ens5 drv=ena unused=igb_uio,vfio-pci *Active*
0000:00:06.0 'Elastic Network Adapter (ENA) ec20' if=ens6 drv=ena unused=igb_uio,vfio-pciOnce you've determined which network device you want to use for Zeek, you can bind it to your DPDK-aware driver:
$ sudo dpdk-devbind.py --bind=vfio-pci 00:06.0
$ dpdk-devbind.py --status
Network devices using DPDK-compatible driver
============================================
0000:00:06.0 'Elastic Network Adapter (ENA) ec20' drv=vfio-pci unused=ena,igb_uio
Network devices using kernel driver
===================================
0000:00:05.0 'Elastic Network Adapter (ENA) ec20' if=ens5 drv=ena unused=igb_uio,vfio-pci *Active*sudo apt install cmake build-essentialsecho 1024 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
zeek -i dpdk::auto[worker-1]
type=worker
host=localhost
interface=dpdk::auto
lb_method=custom
lb_procs=8