Zeek使用与实践探索

背景

之前的发了一篇zeek集群搭建的入门文章，其实也是我刚刚上手zeek记录的笔记。在实际环境中使用zeek，并没有预想的那样顺利。在生产环境中首先遇到的一座大山就是对大流量的处理。zeek集群刚刚部署之后，查看zeek流量统计数据，就发现了大量丢包的现象，最近终于将它解决，在这里分享给需要的人。

zeek为何丢包？

在上一篇zeek集群部署入门的文章中，我使用了pf_ring作为主机层流量负载的技术方案。按照官方说明，使用了pf_ring之后，进入网卡的流量会负载分担给各个zeek worker角色的进程进行处理。然而事情并没有这样理想地发展。

首先我们来看一下zeek node.cfg的配置，这里可以看到我们使用pf_ring作为LB技术，并且分配了28个CPU核心给28个worker进程进行负载分担。bond1接口是在服务端做的链路聚合，将eth2和eth3两块25Gbps网卡聚合成了50Gbps的通信链路。

[manager]type=managerhost=localhost[proxy-1]type=proxyhost=localhost[zeek02-bond1]type=workerhost=localhostinterface=bond1lb_method=af_packetlb_procs=28pin_cpus=3,5,7,9,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34[logger-1]type=loggerhost=localhost[logger-2]type=loggerhost=localhost[logger-3]type=loggerhost=localhost

现在我们运行zeekctl netstat命令，查看网络流量的数据统计如下：

root@nta02:/# zeekctl netstatszeek02-bond1-1: 1694159438.391230 recvd=6533 dropped=670445 link=676978zeek02-bond1-2: 1694159438.447574 recvd=15945 dropped=1301557 link=1317502zeek02-bond1-3: 1694159438.285937 recvd=8718 dropped=1506410 link=1515128zeek02-bond1-4: 1694159438.496734 recvd=22438 dropped=2335289 link=2357727zeek02-bond1-5: 1694159438.265019 recvd=5217 dropped=583178 link=588395zeek02-bond1-6: 1694159438.556789 recvd=45111 dropped=1903845 link=1948956zeek02-bond1-7: 1694159464.462068 recvd=1201469 dropped=0 link=1201469zeek02-bond1-8: 1694159438.490893 recvd=26666 dropped=1481306 link=1507972zeek02-bond1-9: 1694159438.359363 recvd=22526 dropped=2468983 link=2491509zeek02-bond1-10: 1694159438.520350 recvd=72319 dropped=1384195 link=1456514zeek02-bond1-11: 1694159438.246753 recvd=11426 dropped=2671139 link=2682565zeek02-bond1-12: 1694159464.549352 recvd=1318128 dropped=0 link=1318128zeek02-bond1-13: 1694159438.224645 recvd=16552 dropped=1320935 link=1337487zeek02-bond1-14: 1694159438.428478 recvd=42535 dropped=2058948 link=2101483zeek02-bond1-15: 1694159438.283047 recvd=10731 dropped=785031 link=795762zeek02-bond1-16: 1694159464.609429 recvd=2147328 dropped=0 link=2147328zeek02-bond1-17: 1694159438.292624 recvd=4902 dropped=2128862 link=2133764zeek02-bond1-18: 1694159464.640458 recvd=2924760 dropped=0 link=2924760zeek02-bond1-19: 1694159438.238926 recvd=8096 dropped=1312036 link=1320132zeek02-bond1-20: 1694159464.670807 recvd=2254910 dropped=0 link=2254910zeek02-bond1-21: 1694159464.694407 recvd=1924510 dropped=0 link=1924510zeek02-bond1-22: 1694159464.707820 recvd=943997 dropped=0 link=943997zeek02-bond1-23: 1694159438.578137 recvd=41455 dropped=2848792 link=2890247zeek02-bond1-24: 1694159464.737314 recvd=1957657 dropped=0 link=1957657zeek02-bond1-25: 1694159438.292490 recvd=8346 dropped=2052514 link=2060860zeek02-bond1-26: 1694159438.500766 recvd=36634 dropped=3126343 link=3162977zeek02-bond1-27: 1694159438.236779 recvd=6075 dropped=2207839 link=2213914zeek02-bond1-28: 1694159438.570095 recvd=52019 dropped=1939836 link=1991855

可以看到28个worker进程，只有8个进程丢包数为0，其他进程或多或少都存在丢包的现象。起初，我们怀疑是服务器的处理性能不足以支撑交换机镜像过来的流量大小，于是考虑给zeek减负，主要从两个方面进行尝试，一是zeek默认会解析所有协议，数据包进来之后处理流程可能过长，那关闭一些无关紧要的脚本应该可以解决丢包问题；二是对流量进行筛选，在流量进入zeek之前，先使用tcpdump过滤器语法将需要分析的流量筛选出来。

首先我尝试通过第一种方法去解决丢包的问题，zeek脚本的初始化，从/usr/share/zeek/share/zeek/base目录下的四个脚本开始加载，分别是：

init-bare.zeek
init-default.zeek
init-frameworks-and-bifs.zeek
init-supervisor.zeek

以上脚本均不建议直接修改（因为我改过，然后zeek启动就报错了！），其中init-default.zeek是zeek默认启用一些功能性脚本的文件，可以通过在启动zeek时添加-b参数来禁用init-default.zeek。

那问题来了，单独启动zeek很容易，在集群化的环境如何给zeek添加启动参数呢？经过查看zeekctl的源码，可以发现zeekctl在读取配置文件时有一个ZeekArgs的参数，通过这个参数可以向zeek指定命令行参数。

于是我们可以修改zeekctl.cfg配置文件，添加如下配置来禁用init-default.zeek脚本。

ZeekArgs=-b

除了默认的init-default.zeek脚本外，在/usr/share/zeek/share/zeek/site目录下，还有zeek提供给使用者自定义加载脚本的local.zeek。我们打开这个脚本文件，将不必要的功能进行注释，最终保留的内容如下：

redef digest_salt = "Please change this value.";@load misc/loaded-scripts@load tuning/defaults@load misc/capture-loss@load misc/stats

修改配置后需要重新部署zeek集群，使用如下命令：

zeekctl deploy

经过这一番操作，再次查看zeek流量数据统计，发现丢包的问题依然没有改善。那只能通过第二种方法来做了。

通过查阅资料可知，zeek在启动时可以通过-f参数使用tcpdump的过滤器语法对接收的流量进行过滤。这里将使用的需求降到最低，只要求zeek能够记录tcp连接日志，因此我们过滤流量，只保留TCP三次握手的前两个包。修改zeekctl.cfg配置文件的ZeekArgs参数如下：

ZeekArgs=-b -f "tcp[13] == 0x02 or tcp[13] == 0x12"

再次重新部署zeek集群，现在查看数据统计发现zeek不会丢包了，但这样一来，zeek本身的价值也发挥不出来了。

在请教了一位大佬之后，我使用zeekctl top命令查看worker进程的cpu占用，发现存在丢包的进程cpu占用都是0%。这说明我们分配给zeek进程的cpu并没有真正发挥作用，所以进程才频繁的丢包。

root@nta02:/# zeekctl topName         Type    Host             Pid     VSize  Rss  Cpu   Cmdlogger-1     logger  localhost        566       2G   107M   0%  zeeklogger-2     logger  localhost        564       2G   107M   0%  zeeklogger-3     logger  localhost        565       2G   107M   0%  zeekmanager      manager localhost        656     895M   104M   6%  zeekproxy-1      proxy   localhost        707     895M   104M   6%  zeekzeek02-bond1-1 worker  localhost        1188    817M   161M   0%  zeekzeek02-bond1-2 worker  localhost        1187    816M   160M   0%  zeekzeek02-bond1-3 worker  localhost        1172    813M   156M   0%  zeekzeek02-bond1-4 worker  localhost        1184    819M   163M   0%  zeekzeek02-bond1-5 worker  localhost        1182    812M   155M   0%  zeekzeek02-bond1-6 worker  localhost        1169    824M   168M   0%  zeekzeek02-bond1-7 worker  localhost        1173    888M   232M  33%  zeekzeek02-bond1-8 worker  localhost        1164    822M   165M   0%  zeekzeek02-bond1-9 worker  localhost        1163    820M   163M   0%  zeekzeek02-bond1-10 worker  localhost        1162    830M   173M   0%  zeekzeek02-bond1-11 worker  localhost        1185    815M   158M   0%  zeekzeek02-bond1-12 worker  localhost        1161    894M   238M  20%  zeekzeek02-bond1-13 worker  localhost        1165    815M   158M   0%  zeekzeek02-bond1-14 worker  localhost        1186    823M   166M   0%  zeekzeek02-bond1-15 worker  localhost        1177    815M   158M   0%  zeekzeek02-bond1-16 worker  localhost        1176    900M   244M  60%  zeekzeek02-bond1-17 worker  localhost        1181    812M   156M   0%  zeekzeek02-bond1-18 worker  localhost        1171    904M   249M  53%  zeekzeek02-bond1-19 worker  localhost        1175    813M   157M   0%  zeekzeek02-bond1-20 worker  localhost        1170    903M   247M  73%  zeekzeek02-bond1-21 worker  localhost        1178    893M   237M  46%  zeekzeek02-bond1-22 worker  localhost        1183    898M   242M  40%  zeekzeek02-bond1-23 worker  localhost        1180    820M   163M   0%  zeekzeek02-bond1-24 worker  localhost        1168    906M   250M  53%  zeekzeek02-bond1-25 worker  localhost        1174    813M   157M   0%  zeekzeek02-bond1-26 worker  localhost        1167    821M   164M   0%  zeekzeek02-bond1-27 worker  localhost        1179    812M   156M   6%  zeekzeek02-bond1-28 worker  localhost        1166    825M   168M   0%  zeek

此时联想到了zeek官方文档中提到的AF_PACKET进行负载的方案，由于在最初编译安装zeek时没有禁用AF_PACKET，在我尝试关闭一些无用脚本比如/usr/share/zeek/share/zeek/builtin-plugins/Zeek_AF_Packet时，重启zeek会报错。于是，修改node.cfg配置文件，将pf_ring替换为AF_PACKET。

[zeek02-bond1]type=workerhost=localhostinterface=bond1lb_method=af_packetlb_procs=28pin_cpus=3,5,7,9,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34

保存配置重新部署zeek集群，再次查看zeek数据统计，zeek终于不丢包了！

root@nta02:/usr/share/zeek/etc# zeekctl netstatszeek02-bond1-1: 1694159960.666546 recvd=3045526 dropped=0 link=3045564zeek02-bond1-2: 1694159960.692620 recvd=4102243 dropped=0 link=4102276zeek02-bond1-3: 1694159960.712118 recvd=4966130 dropped=0 link=4966257zeek02-bond1-4: 1694159960.726718 recvd=4778229 dropped=0 link=4778957zeek02-bond1-5: 1694159960.749125 recvd=5226613 dropped=0 link=5226984zeek02-bond1-6: 1694159960.765813 recvd=4003028 dropped=0 link=4003333zeek02-bond1-7: 1694159960.790069 recvd=5086618 dropped=0 link=5086782zeek02-bond1-8: 1694159960.820395 recvd=4997965 dropped=0 link=4998014zeek02-bond1-9: 1694159960.837379 recvd=5539034 dropped=0 link=5539636zeek02-bond1-10: 1694159960.866013 recvd=4343802 dropped=0 link=4343926zeek02-bond1-11: 1694159960.878957 recvd=11358301 dropped=0 link=11358970zeek02-bond1-12: 1694159960.900467 recvd=5312214 dropped=0 link=5312403zeek02-bond1-13: 1694159960.918137 recvd=3414226 dropped=0 link=3414439zeek02-bond1-14: 1694159960.932650 recvd=7208365 dropped=0 link=7208958zeek02-bond1-15: 1694159960.957302 recvd=7564861 dropped=0 link=7565401zeek02-bond1-16: 1694159960.977188 recvd=3424952 dropped=0 link=3425441zeek02-bond1-17: 1694159961.003142 recvd=4345309 dropped=0 link=4345541zeek02-bond1-18: 1694159961.024227 recvd=3759917 dropped=0 link=3760272zeek02-bond1-19: 1694159961.044002 recvd=6850704 dropped=0 link=6850845zeek02-bond1-20: 1694159961.059637 recvd=8074489 dropped=0 link=8074719zeek02-bond1-21: 1694159961.084143 recvd=5373912 dropped=0 link=5374542zeek02-bond1-22: 1694159961.113408 recvd=4765364 dropped=0 link=4765504zeek02-bond1-23: 1694159961.131650 recvd=3199403 dropped=0 link=3199582zeek02-bond1-24: 1694159961.144580 recvd=11335561 dropped=0 link=11336418zeek02-bond1-25: 1694159961.169301 recvd=4381337 dropped=0 link=4381438zeek02-bond1-26: 1694159961.191095 recvd=3634266 dropped=0 link=3634320zeek02-bond1-27: 1694159961.214476 recvd=3493171 dropped=0 link=3493191zeek02-bond1-28: 1694159961.233991 recvd=5240630 dropped=0 link=5241309

再来看一下worker进程的cpu占用情况，发现所有的进程cpu利用率都大于0%了。一切正常！

root@nta02:/# zeekctl topName         Type    Host             Pid     VSize  Rss  Cpu   Cmdlogger-1     logger  localhost        3430      2G    96M   0%  zeeklogger-2     logger  localhost        3428      2G    97M   0%  zeeklogger-3     logger  localhost        3429      2G    97M   0%  zeekmanager      manager localhost        3520    880M    89M   0%  zeekproxy-1      proxy   localhost        3571    879M    88M   0%  zeekzeek02-bond1-1 worker  localhost        4031    923M   267M  20%  zeekzeek02-bond1-2 worker  localhost        4045    919M   262M  33%  zeekzeek02-bond1-3 worker  localhost        4029    924M   268M  40%  zeekzeek02-bond1-4 worker  localhost        4041    922M   267M  13%  zeekzeek02-bond1-5 worker  localhost        4030    920M   265M  26%  zeekzeek02-bond1-6 worker  localhost        4043    926M   270M  26%  zeekzeek02-bond1-7 worker  localhost        4025    923M   267M  20%  zeekzeek02-bond1-8 worker  localhost        4038    923M   267M  26%  zeekzeek02-bond1-9 worker  localhost        4037    925M   269M  20%  zeekzeek02-bond1-10 worker  localhost        4048    924M   269M  26%  zeekzeek02-bond1-11 worker  localhost        4026    922M   266M  26%  zeekzeek02-bond1-12 worker  localhost        4039    934M   278M  20%  zeekzeek02-bond1-13 worker  localhost        4027    920M   265M  26%  zeekzeek02-bond1-14 worker  localhost        4046    926M   270M  33%  zeekzeek02-bond1-15 worker  localhost        4032    927M   272M  26%  zeekzeek02-bond1-16 worker  localhost        4050    925M   270M  26%  zeekzeek02-bond1-17 worker  localhost        4047    921M   266M  53%  zeekzeek02-bond1-18 worker  localhost        4044    926M   270M  46%  zeekzeek02-bond1-19 worker  localhost        4040    923M   267M  20%  zeekzeek02-bond1-20 worker  localhost        4035    926M   271M  46%  zeekzeek02-bond1-21 worker  localhost        4034    922M   267M  20%  zeekzeek02-bond1-22 worker  localhost        4028    923M   267M  26%  zeekzeek02-bond1-23 worker  localhost        4033    923M   267M  20%  zeekzeek02-bond1-24 worker  localhost        4052    925M   270M  26%  zeekzeek02-bond1-25 worker  localhost        4036    923M   268M  20%  zeekzeek02-bond1-26 worker  localhost        4042    926M   270M  40%  zeekzeek02-bond1-27 worker  localhost        4051    922M   266M  46%  zeekzeek02-bond1-28 worker  localhost        4049    925M   269M  33%  zeek

不过这里遗留了一个问题，在使用上述配置运行zeek后，我发现在/usr/share/zeek/logs/current目录下，zeek没有产生任何协议分析结果的日志。这应该是因为我们使用了-b参数，又在local.zeek脚本中注释了大量原本默认启用的脚本造成的。

现在我们想对zeek进行定制化，只记录conn.log, http.log, dns.log，这需要在local.zeek脚本中启用这三个协议。zeek默认会启用所有协议分析器，因此我们还需要禁用所有的协议分析器，只开启http和dns的协议分析器。具体的脚本配置如下：

root@nta02:/# zeekctl netstatszeek02-bond1-1: 1694159438.391230 recvd=6533 dropped=670445 link=676978zeek02-bond1-2: 1694159438.447574 recvd=15945 dropped=1301557 link=1317502zeek02-bond1-3: 1694159438.285937 recvd=8718 dropped=1506410 link=1515128zeek02-bond1-4: 1694159438.496734 recvd=22438 dropped=2335289 link=2357727zeek02-bond1-5: 1694159438.265019 recvd=5217 dropped=583178 link=588395zeek02-bond1-6: 1694159438.556789 recvd=45111 dropped=1903845 link=1948956zeek02-bond1-7: 1694159464.462068 recvd=1201469 dropped=0 link=1201469zeek02-bond1-8: 1694159438.490893 recvd=26666 dropped=1481306 link=1507972zeek02-bond1-9: 1694159438.359363 recvd=22526 dropped=2468983 link=2491509zeek02-bond1-10: 1694159438.520350 recvd=72319 dropped=1384195 link=1456514zeek02-bond1-11: 1694159438.246753 recvd=11426 dropped=2671139 link=2682565zeek02-bond1-12: 1694159464.549352 recvd=1318128 dropped=0 link=1318128zeek02-bond1-13: 1694159438.224645 recvd=16552 dropped=1320935 link=1337487zeek02-bond1-14: 1694159438.428478 recvd=42535 dropped=2058948 link=2101483zeek02-bond1-15: 1694159438.283047 recvd=10731 dropped=785031 link=795762zeek02-bond1-16: 1694159464.609429 recvd=2147328 dropped=0 link=2147328zeek02-bond1-17: 1694159438.292624 recvd=4902 dropped=2128862 link=2133764zeek02-bond1-18: 1694159464.640458 recvd=2924760 dropped=0 link=2924760zeek02-bond1-19: 1694159438.238926 recvd=8096 dropped=1312036 link=1320132zeek02-bond1-20: 1694159464.670807 recvd=2254910 dropped=0 link=2254910zeek02-bond1-21: 1694159464.694407 recvd=1924510 dropped=0 link=1924510zeek02-bond1-22: 1694159464.707820 recvd=943997 dropped=0 link=943997zeek02-bond1-23: 1694159438.578137 recvd=41455 dropped=2848792 link=2890247zeek02-bond1-24: 1694159464.737314 recvd=1957657 dropped=0 link=1957657zeek02-bond1-25: 1694159438.292490 recvd=8346 dropped=2052514 link=2060860zeek02-bond1-26: 1694159438.500766 recvd=36634 dropped=3126343 link=3162977zeek02-bond1-27: 1694159438.236779 recvd=6075 dropped=2207839 link=2213914zeek02-bond1-28: 1694159438.570095 recvd=52019 dropped=1939836 link=19918550

完成上述配置后，再来查看zeek日志记录情况，可以看到现在只有conn, http, dns协议相关日志。

root@nta02:/# zeekctl netstatszeek02-bond1-1: 1694159438.391230 recvd=6533 dropped=670445 link=676978zeek02-bond1-2: 1694159438.447574 recvd=15945 dropped=1301557 link=1317502zeek02-bond1-3: 1694159438.285937 recvd=8718 dropped=1506410 link=1515128zeek02-bond1-4: 1694159438.496734 recvd=22438 dropped=2335289 link=2357727zeek02-bond1-5: 1694159438.265019 recvd=5217 dropped=583178 link=588395zeek02-bond1-6: 1694159438.556789 recvd=45111 dropped=1903845 link=1948956zeek02-bond1-7: 1694159464.462068 recvd=1201469 dropped=0 link=1201469zeek02-bond1-8: 1694159438.490893 recvd=26666 dropped=1481306 link=1507972zeek02-bond1-9: 1694159438.359363 recvd=22526 dropped=2468983 link=2491509zeek02-bond1-10: 1694159438.520350 recvd=72319 dropped=1384195 link=1456514zeek02-bond1-11: 1694159438.246753 recvd=11426 dropped=2671139 link=2682565zeek02-bond1-12: 1694159464.549352 recvd=1318128 dropped=0 link=1318128zeek02-bond1-13: 1694159438.224645 recvd=16552 dropped=1320935 link=1337487zeek02-bond1-14: 1694159438.428478 recvd=42535 dropped=2058948 link=2101483zeek02-bond1-15: 1694159438.283047 recvd=10731 dropped=785031 link=795762zeek02-bond1-16: 1694159464.609429 recvd=2147328 dropped=0 link=2147328zeek02-bond1-17: 1694159438.292624 recvd=4902 dropped=2128862 link=2133764zeek02-bond1-18: 1694159464.640458 recvd=2924760 dropped=0 link=2924760zeek02-bond1-19: 1694159438.238926 recvd=8096 dropped=1312036 link=1320132zeek02-bond1-20: 1694159464.670807 recvd=2254910 dropped=0 link=2254910zeek02-bond1-21: 1694159464.694407 recvd=1924510 dropped=0 link=1924510zeek02-bond1-22: 1694159464.707820 recvd=943997 dropped=0 link=943997zeek02-bond1-23: 1694159438.578137 recvd=41455 dropped=2848792 link=2890247zeek02-bond1-24: 1694159464.737314 recvd=1957657 dropped=0 link=1957657zeek02-bond1-25: 1694159438.292490 recvd=8346 dropped=2052514 link=2060860zeek02-bond1-26: 1694159438.500766 recvd=36634 dropped=3126343 link=3162977zeek02-bond1-27: 1694159438.236779 recvd=6075 dropped=2207839 link=2213914zeek02-bond1-28: 1694159438.570095 recvd=52019 dropped=1939836 link=19918551

其他优化点

我们都知道zeek记录日志的特性，即在一个传输层会话建立后，生成唯一id，这个会话上层应用层的日志会复用这个id。但是刚开始运行zeek时，我发现这个特性并没有成功。例如这里尝试访问一个Web站点，zeek记录了相对应的TCP会话和HTTP日志。但是会话ID不一致。

这是由于网卡的offload特性导致的。只要我们将一些offload机制关闭就可以了。

这里根据WLCG Operational Security团队的建议，使用如下命令关闭网卡的offload技术。

root@nta02:/# zeekctl netstatszeek02-bond1-1: 1694159438.391230 recvd=6533 dropped=670445 link=676978zeek02-bond1-2: 1694159438.447574 recvd=15945 dropped=1301557 link=1317502zeek02-bond1-3: 1694159438.285937 recvd=8718 dropped=1506410 link=1515128zeek02-bond1-4: 1694159438.496734 recvd=22438 dropped=2335289 link=2357727zeek02-bond1-5: 1694159438.265019 recvd=5217 dropped=583178 link=588395zeek02-bond1-6: 1694159438.556789 recvd=45111 dropped=1903845 link=1948956zeek02-bond1-7: 1694159464.462068 recvd=1201469 dropped=0 link=1201469zeek02-bond1-8: 1694159438.490893 recvd=26666 dropped=1481306 link=1507972zeek02-bond1-9: 1694159438.359363 recvd=22526 dropped=2468983 link=2491509zeek02-bond1-10: 1694159438.520350 recvd=72319 dropped=1384195 link=1456514zeek02-bond1-11: 1694159438.246753 recvd=11426 dropped=2671139 link=2682565zeek02-bond1-12: 1694159464.549352 recvd=1318128 dropped=0 link=1318128zeek02-bond1-13: 1694159438.224645 recvd=16552 dropped=1320935 link=1337487zeek02-bond1-14: 1694159438.428478 recvd=42535 dropped=2058948 link=2101483zeek02-bond1-15: 1694159438.283047 recvd=10731 dropped=785031 link=795762zeek02-bond1-16: 1694159464.609429 recvd=2147328 dropped=0 link=2147328zeek02-bond1-17: 1694159438.292624 recvd=4902 dropped=2128862 link=2133764zeek02-bond1-18: 1694159464.640458 recvd=2924760 dropped=0 link=2924760zeek02-bond1-19: 1694159438.238926 recvd=8096 dropped=1312036 link=1320132zeek02-bond1-20: 1694159464.670807 recvd=2254910 dropped=0 link=2254910zeek02-bond1-21: 1694159464.694407 recvd=1924510 dropped=0 link=1924510zeek02-bond1-22: 1694159464.707820 recvd=943997 dropped=0 link=943997zeek02-bond1-23: 1694159438.578137 recvd=41455 dropped=2848792 link=2890247zeek02-bond1-24: 1694159464.737314 recvd=1957657 dropped=0 link=1957657zeek02-bond1-25: 1694159438.292490 recvd=8346 dropped=2052514 link=2060860zeek02-bond1-26: 1694159438.500766 recvd=36634 dropped=3126343 link=3162977zeek02-bond1-27: 1694159438.236779 recvd=6075 dropped=2207839 link=2213914zeek02-bond1-28: 1694159438.570095 recvd=52019 dropped=1939836 link=19918552