The Bro Mac OS

Zeek provides a comprehensive platform for network traffic analysis, with a particular focus on semantic security monitoring at scale. While often compared to classic intrusion detection/prevention systems, Zeek takes a quite different approach by providing users with a flexible framework that facilitates customized, in-depth monitoring far beyond the capabilities of traditional systems. Want to book us? Facebook Instagram Youtube Envelope. Share your videos with friends, family, and the world.

Your Mac provides several tools to help you identify it. The simplest is About This Mac, available by choosing About This Mac from the Apple menu  in the top left-hand corner of your screen. The other is the System Information app. Find out how to use these tools to identify your Mac.

If you don’t have your Mac or it doesn’t start up, use one of these solutions instead:

  • Find the serial number printed on the underneath of your Mac, near the regulatory markings. It's also on the original packaging, next to the barcode label. You can then enter that serial number on the Check Coverage page to find your model.
  • The original packaging may also display an Apple part number, such as MLH12xx/A (“xx” is a variable that differs by country or region). You can match the Apple part number to one on the list below to find your model.

List of MacBook Pro models

MacBook Pro models are organised by the year they were introduced, starting with the most recent. Click the model name for detailed technical specifications.

MacBook Pro models from late 2013 and newer can run the latest version of macOS. For older models, the latest compatible operating system is noted.

2020

MacBook Pro (13-inch, M1, 2020)
Colours: silver, space grey
Model Identifier: MacBookPro17,1
Part Numbers: MYD83xx/A, MYD92xx/A, MYDA2xx/A, MYDC2xx/A
Tech Specs: MacBook Pro (13-inch, M1, 2020)
User Guide: MacBook Pro (13-inch, M1, 2020)

MacBook Pro (13-inch, 2020, Two Thunderbolt 3 ports)
Colours: silver, space grey
Model Identifier: MacBookPro16,3
Part Numbers: MXK32xx/A, MXK52xx/A, MXK62xx/A, MXK72xx/A
Tech Specs: MacBook Pro (13-inch, 2020, Two Thunderbolt 3 ports)
User Guide: MacBook Pro (13-inch, 2020, Two Thunderbolt 3 ports)

MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)
Colours: silver, space grey
Model Identifier: MacBookPro16,2
Part Numbers: MWP42xx/A, MWP52xx/A, MWP62xx/A, MWP72xx/A, MWP82xx/A
Tech Specs: MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)
User Guide: MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)

2019

MacBook Pro (16-inch, 2019)
Colours: silver, space grey
Model Identifier: MacBookPro16,1, MacBookPro16,4
Part Numbers: MVVJ2xx/A, MVVK2xx/A, MVVL2xx/A, MVVM2xx/A
Tech Specs: MacBook Pro (16-inch, 2019)
User guide: MacBook Pro (16-inch, 2019)

MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports)
Colours: silver, space grey
Model Identifier: MacBookPro15,4
Part Numbers: MUHN2xx/A, MUHP2xx/a, MUHQ2xx/A, MUHR2xx/A, MUHR2xx/B
Tech Specs: MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports)
User Guide: MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports)

Attack of the time gobbler - 2 plane flying mac os. MacBook Pro (15-inch, 2019)
Colours: silver, space grey
Model Identifier: MacBookPro15,1, MacBookPro15,3
Part Numbers: MV902xx/A, MV912xx/A, MV922xx/A, MV932xx/A, MV942xx/A, MV952xx/A
Tech Specs: MacBook Pro (15-inch, 2019)
User Guide: MacBook Pro (15-inch, 2019)

MacBook Pro (13-inch, 2019, Four Thunderbolt 3 ports)
Colours: silver, space grey
Model Identifier: MacBookPro15,2
Part Numbers: MV962xx/A, MV972xx/A, MV982xx/A, MV992xx/A, MV9A2xx/A
Tech Specs: MacBook Pro (13-inch, 2019, Four Thunderbolt 3 ports)
User Guide: MacBook Pro (13-inch, 2019, Four Thunderbolt 3 ports)

2018

MacBook Pro (15-inch, 2018)
Colours: silver, space grey
Model Identifier: MacBookPro15,1
Part Numbers: MR932xx/A, MR942xx/A, MR952xx/A, MR962xx/A, MR972xx/A, MUQH2xx/A
Tech Specs: MacBook Pro (15-inch, 2018)
User Guide: MacBook Pro (15-inch, 2018)

MacBook Pro (13-inch, 2018, Four Thunderbolt 3 ports)
Colours: silver, space grey
Model Identifier: MacBookPro15,2
Part Numbers: MR9Q2xx/A, MR9R2xx/A, MR9T2xx/A, MR9U2xx/A, MR9V2xx/A
Tech Specs: MacBook Pro (13-inch, 2018, Four Thunderbolt 3 ports)
User Guide: MacBook Pro (13-inch, 2018, Four Thunderbolt 3 ports)

2017

MacBook Pro (15-inch, 2017)
Colours: silver, space grey
Model Identifier: MacBookPro14,3
Part Numbers: MPTR2xx/A, MPTT2xx/A, MPTU2xx/A, MPTV2xx/A, MPTW2xx/A, MPTX2xx/A
Tech Specs: MacBook Pro (15-inch, 2017)
User Guide: MacBook Pro (15-inch, 2017)

MacBook Pro (13-inch, 2017, Four Thunderbolt 3 ports)
Colours: silver, space grey
Model Identifier: MacBookPro14,2
Part Numbers: MPXV2xx/A, MPXW2xx/A, MPXX2xx/A, MPXY2xx/A, MQ002xx/A, MQ012xx/A
Tech Specs: MacBook Pro (13-inch, 2017, Four Thunderbolt 3 ports)
User Guide: MacBook Pro (13-inch, 2017, Four Thunderbolt 3 ports)

MacBook Pro (13-inch, 2017, Two Thunderbolt 3 ports)
Colours: silver, space grey
Model Identifier: MacBookPro14,1
Part Numbers: MPXQ2xx/A, MPXR2xx/A, MPXT2xx/A, MPXU2xx/A
Tech Specs: MacBook Pro (13-inch, 2017, Two Thunderbolt 3 ports)
User Guide: MacBook Pro (13-inch, 2017, Two Thunderbolt 3 ports)

2016

MacBook Pro (15-inch, 2016)
Colours: silver, space grey
Model Identifier: MacBookPro13,3
Part Numbers: MLH32xx/A, MLH42xx/A, MLH52xx/A, MLW72xx/A, MLW82xx/A, MLW92xx/A
Tech Specs: MacBook Pro (15-inch, 2016)
User Guide: MacBook Pro (15-inch, 2016)

MacBook Pro (13-inch, 2016, Four Thunderbolt 3 ports)
Colours: silver, space grey
Model Identifier: MacBookPro13,2
Part Numbers: MLH12xx/A, MLVP2xx/A, MNQF2xx/A, MNQG2xx/A, MPDK2xx/A, MPDL2xx/A
Tech Specs: MacBook Pro (13-inch, 2016, Four Thunderbolt 3 ports)
User Guide: MacBook Pro (13-inch, 2016, Four Thunderbolt 3 ports)

MacBook Pro (13-inch, 2016, Two Thunderbolt 3 ports)
Colours: silver, space grey
Model Identifier: MacBookPro13,1
Part Numbers: MLL42xx/A, MLUQ2xx/A
Tech Specs: MacBook Pro (13-inch, 2016, Two Thunderbolt 3 ports)
User Guide: MacBook Pro (13-inch, 2016, Two Thunderbolt 3 ports)

2015

MacBook Pro (Retina, 15-inch, Mid 2015)
Model Identifier: MacBookPro11,4, MacBookPro11,5
Part Number: MJLQ2xx/A, MJLT2xx/A, MJLU2xx/A
Tech Specs: MacBook Pro (Retina, 15-inch, Mid 2015)
User Guide: MacBook Pro (Retina, 15-inch, Mid 2015)

MacBook Pro (Retina, 13-inch, Early 2015)
Model Identifier: MacBookPro12,1
Part Numbers: MF839xx/A, MF840xx/A, MF841xx/A, MF843xx/A
Tech Specs: MacBook Pro (Retina, 13-inch, Early 2015)
User Guide: MacBook Pro (Retina, 13-inch, Early 2015)

2014

MacBook Pro (Retina, 15-inch, Mid 2014)
Model Identifier: MacBookPro11,2, MacBookPro11,3
Part Number: MGXC2xx/A, MGXA2xx/A
Tech Specs: MacBook Pro (Retina, 15-inch, Mid 2014)
User Guide: MacBook Pro (Retina, 15-inch, Mid 2014)

MacBook Pro (Retina, 13-inch, Mid 2014)
Model Identifier: MacBookPro11,1
Part Numbers: MGX72xx/A, MGX82xx/A, MGX92xx/A
Tech Specs: MacBook Pro (Retina, 13-inch, Mid 2014)
User Guide: MacBook Pro (Retina, 13-inch, Mid 2014)

2013

MacBook Pro (Retina, 15-inch, Late 2013)
Model Identifier: MacBookPro11,2, MacBookPro11,3
Part Number: ME293xx/A, ME294xx/A
Tech Specs: MacBook Pro (Retina, 15-inch, Late 2013)
User Guide: MacBook Pro (Retina, 15-inch, Late 2013)

MacBook Pro (Retina, 13-inch, Late 2013)
Model Identifier: MacBookPro11,1
Part Numbers: ME864xx/A, ME865xx/A, ME866xx/A
Tech Specs: MacBook Pro (Retina, 13-inch, Late 2013)
User Guide: MacBook Pro (Retina, 13-inch, Late 2013)

MacBook Pro (Retina, 15-inch, Early 2013)
Model Identifier: MacBookPro10,1
Part Numbers: ME664xx/A, ME665xx/A
Newest compatible operating system: macOS Catalina 10.15.7
Tech Specs: MacBook Pro (Retina, 15-inch, Early 2013)
User Guide: MacBook Pro (Retina, 15-inch, Early 2013)

MacBook Pro (Retina, 13-inch, Early 2013)
Model Identifier: MacBookPro10,2
Part Numbers: MD212xx/A, ME662xx/A
Newest compatible operating system: macOS Catalina 10.15.7
Tech Specs: MacBook Pro (Retina, 13-inch, Early 2013)
User Guide: MacBook Pro (Retina, 13-inch, Early 2013)

2012

MacBook Pro (Retina, 13-inch, Late 2012)
Model Identifier: MacBookPro10,2
Part Numbers: MD212xx/A, MD213xx/A
Newest compatible operating system: macOS Catalina 10.15.7
Tech Specs: MacBook Pro (Retina, 13-inch, Late 2012)
User Guide: MacBook Pro (Retina, 13-inch, Late 2012)

MacBook Pro (Retina, 15-inch, Mid 2012)
Model Identifier: MacBookPro10,1
Newest compatible operating system: macOS Catalina 10.15.7
Tech Specs: MacBook Pro (Retina, 15-inch, Mid 2012)
User Guide: MacBook Pro (Retina, 15-inch, Mid 2012)

MacBook Pro (15-inch, Mid 2012)
Model Identifier: MacBookPro9,1
Part Numbers: MD103xx/A, MD104xx/A
Newest compatible operating system: macOS Catalina 10.15.7
Tech Specs: MacBook Pro (15-inch, Mid 2012)
User Guide: MacBook Pro (15-inch, Mid 2012)

MacBook Pro (13-inch, Mid 2012)
Model Identifier: MacBookPro9,2
Part Numbers: MD101xx/A, MD102xx/A
Newest compatible operating system: macOS Catalina 10.15.7
Tech Specs: MacBook Pro (13-inch, Mid 2012)
User Guide: MacBook Pro (13-inch, Mid 2012)

2011

MacBook Pro (17-inch, Late 2011)
Model Identifier: MacBookPro8,3
Part Number: MD311xx/A
Newest compatible operating system: macOS High Sierra 10.13.6
Tech Specs: MacBook Pro (17-inch, Late 2011)

MacBook Pro (15-inch, Late 2011)
Model Identifier: MacBookPro8,2
Part Numbers: MD322xx/A, MD318xx/A
Newest compatible operating system: macOS High Sierra 10.13.6
Tech Specs: MacBook Pro (15-inch, Late 2011)
User Guide: MacBook Pro (15-inch, Late 2011)


MacBook Pro (13-inch, Late 2011)
Model Identifier: MacBookPro8,1
Part Numbers: MD314xx/A, MD313xx/A
Newest compatible operating system: macOS High Sierra 10.13.6
Tech Specs: MacBook Pro (13-inch, Late 2011)
User Guide: MacBook Pro (13-inch, Late 2011)

MacBook Pro (17-inch, Early 2011)
Model Identifier: MacBookPro8,3
Part Number: MC725xx/A
Newest compatible operating system: macOS High Sierra 10.13.6
Tech Specs: MacBook Pro (17-inch, Early 2011)


MacBook Pro (15-inch, Early 2011)
Model Identifier: MacBookPro8,2
Part Numbers: MC723xx/A, MC721xx/A
Newest compatible operating system: macOS High Sierra 10.13.6
Tech Specs: MacBook Pro (15-inch, Early 2011)
User Guide: MacBook Pro (15-inch, Early 2011) Dragonplay slots free coins.

MacBook Pro (13-inch, Early 2011)
Model Identifier: MacBookPro8,1
Part Numbers: MC724xx/A, MC700xx/A
Newest compatible operating system: macOS High Sierra 10.13.6
Tech Specs: MacBook Pro (13-inch, Early 2011)
User Guide: MacBook Pro (13-inch, Early 2011)

2010

MacBook Pro (17-inch, Mid 2010)
Model Identifier: MacBookPro6,1
Part Number: MC024xx/A
Newest compatible operating system: macOS High Sierra 10.13.6
Tech Specs: MacBook Pro (17-inch, Mid 2010)

MacBook Pro (15-inch, Mid 2010)
Model Identifier: MacBookPro6,2
Part Numbers: MC373xx/A, MC372xx/A, MC371xx/A
Newest compatible operating system: macOS High Sierra 10.13.6
Tech Specs: MacBook Pro (15-inch, Mid 2010)

MacBook Pro (13-inch, Mid 2010)
Model Identifier: MacBookPro7,1
Part Numbers: MC375xx/A, MC374xx/A
Newest compatible operating system: macOS High Sierra 10.13.6
Tech Specs: MacBook Pro (13-inch, Mid 2010)

2009

MacBook Pro (17-inch, Mid 2009)
Model Identifier: MacBookPro5,2
Part Number: MC226xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: MacBook Pro (17-inch, Mid 2009)
User Guide: MacBook Pro (17-inch, Mid 2009)

MacBook Pro (15-inch, Mid 2009)
Model Identifier: MacBookPro5,3
Part Numbers: MB985xx/A, MB986xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: MacBook Pro (15-inch, Mid 2009)
User Guide: MacBook Pro (15-inch, Mid 2009)

MacBook Pro (15-inch, 2.53 GHz, Mid 2009)
Model Identifier: MacBookPro5,3
Part Number: MC118xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: MacBook Pro (15-inch, 2.53 GHz, Mid 2009)
User Guide: MacBook Pro (15-inch, 2.53 GHz, Mid 2009)


MacBook Pro (13-inch, Mid 2009)
Model Identifier: MacBookPro5,5
Part Numbers: MB991xx/A, MB990xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: MacBook Pro (13-inch, Mid 2009)
User Guide: MacBook Pro (13-inch, Mid 2009)

MacBook Pro (17-inch, Early 2009)
Model Identifier: MacBookPro5,2
Part Number: MB604xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: MacBook Pro (17-inch, Early 2009)
User Guide: MacBook Pro (17-inch, Early 2009)

2008

MacBook Pro (15-inch, Late 2008)
Model Identifier: MacBookPro5,1
Part Number: MB470xx/A, MB471xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: MacBook Pro (15-inch, Late 2008)
User Guide: MacBook Pro (15-inch, Late 2008)

MacBook Pro (17-inch, Early 2008)
Model Identifier: MacBookPro4,1
Part Number: MB166xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: MacBook Pro (17-inch, Early 2008)
User Guide: MacBook Pro (17-inch, Early 2008)

MacBook Pro (15-inch, Early 2008)
Model Identifier: MacBookPro4,1
Part Number: MB133xx/A, MB134xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: MacBook Pro (15-inch, Early 2008)
User Guide: MacBook Pro (15-inch, Early 2008)

Learn more

The Zeek FAQ, covering common questions about Zeek and the Zeek Project.

What is Zeek?
Zeek provides a comprehensive platform for network traffic analysis, with a particular focus on semantic security monitoring at scale. While often compared to classic intrusion detection/prevention systems, Zeek takes a quite different approach by providing users with a flexible framework that facilitates customized, in-depth monitoring far beyond the capabilities of traditional systems. With initial versions already in operational deployment during the mid ‘90s, Zeek finds itself grounded in more than 20 years of research. For more information, see the Zeek Overview and our promotional document, Why Choose Zeek?.
Who's using Zeek?
Zeek supports network operations at a broad variety of sites, including major corporations, universities, research labs, and supercomputing centers. It’s also used widely by researchers to prototype novel network analyses and, more generally, for measuring network properties
Who's behind Zeek?
Zeek is developed and maintained by a group of researchers and engineers sharing a joint interest in advancing today’s network monitoring capabilities to keep pace with the rapid development of the online world. The Zeek Project is head-quartered at the International Computer Science Institute (ICSI), Berkeley, CA; with a second group of core team members located at the National Center for Supercomputing Applications (NCSA), Urbana-Champaign, IL.
What is the relationship between Zeek and Bro?
In 2018, the long-establishedBrosystem was renamed Zeek. For the rationale behind changing the name and the selection of Zeek as the new name, see the associatedblog postingorthe unveiling video.Note that the name “Bro” still appears extensively within the system and its internals. The project is undertaking an ongoing process of shifting over to the use of “Zeek”.
What is the International Computer Science Institute?
Mac bros roofing
TheInternational Computer Science Institute(ICSI) is a leading center for research in computer science and one of the few independent, nonprofit such research institutes in the United States. Since its inauguration in 1988,ICSIhas maintained an affiliation with the University of California at Berkeley. Several ofICSI’s scientists hold joint faculty appointments atUCBerkeley, teaching graduate and undergraduate courses and supervising students who pursue their doctoral thesis research atICSI.For many years now,ICSIhas been the home of the Zeek Project, providing it with a public face, handling logistics and administrative, and operating the Zeek infrastructure such as web server, master version control systems, and more.
What is the National Center for Supercomputing Applications?
TheNational Center for Supercomputing Applications(NCSA), located at the University of Illinois at Urbana-Champaign, provides powerful computers and expert support that help thousands of scientists and engineers across the country improve our world.For over 10 years,NCSAhas used Zeek as a key piece of their security infrastructure, and since 2010 they have been actively involved in the Zeek project. Now a significant part of Zeek’s development is done at theNCSAwith support primarily from the National Science Foundation. For more information, seeNCSACyberSecurity .
Who’s funding Zeek?
Historically the Zeek Project has been funded mostly by R&D grants from outside entities. Current and past funding organizations include in particular the National Science Foundation and the Department of Energy. Individual members of the Zeek Project typically spend some of their time on such Zeek-related grants, while also working on other projects funded independently.
Can I support the Zeek Project with a donation?
Yes, we gladly accept unrestricted donations to support Zeek development, maintenance, and operations at ICSI. Send any questions your have to info@zeek.org.
Can I contribute functionality to Zeek?
Absolutely. As any open-source project, Zeek depends crucially on its community for moving forward. We gladly accept patches, small and large, from individuals and organizations. We consider any contributions we receive for inclusion into the mainline distribution. If you’re thinking to work on something specific, we recommend you get in touch with us first to discuss further; we’ll aim to help where we can and smooth the path for later merging into Zeek proper. That way we can also tell you early on if we believe an extension wouldn’t be a good fit for the main Zeek distribution.On the legal side, please keep in mind that all code contributed to Zeek must be subject to the sameBSDlicense as the system itself; we will implicitly assume so if not stated otherwise. Please note that Zeek cannot evenlinkto libraries with incompatible licenses (such asGPL).Please continueherefor further information.
How do I report a security vulnerability within Zeek?
We are eager to work with the community to resolve security vulnerabilities within Zeek in a timely manner and to properly acknowledge the contributor(s). Review our reporting process here.
Is there a roadmap for Zeek’s development?
We usually have a rough idea of things we’d like to see going into Zeek but we do not have much of a long-time roadmap cast in stone. Specifics depend to a large degree on the interests of the people working on the code base, including members of the core project as well as external contributors. Our releases do not follow a strict timeline either, we rather follow a pragmatic “release-when-ready” strategy. This model has served us well over the years, however it means that if there is something specific you’d like to see done, your best option might be contributing it yourself … That all said, we usually list some features we target for upcoming Zeek releases in our short-term roadmap in the development section.
Does the Zeek Project offer commercial support?
The Zeek Project does not offer individual assistance.
Can I contract the Zeek Project for specific work?
We are not performing contract work but we’re happy to provide pointers to commercial options where we are aware of them. If you are offering commercial Zeek work, let us know and we’ll keep you in mind when somebody asks.
How do I contact the Zeek Project?
What’s Zeek’s license?
Zeek is open-source. The system, including all its subcomponents, comes with the very permissive BSD license, which allows for pretty much unrestricted use as long as you leave the attributions in the source code in place. Read the license for the details.
What’s the license for Zeek’s documentation?
All the documentation, and all our content on www.zeek.org that’s not otherwise marked, is licensed under the Creative Commons Attribution 4.0 International License. Occasionally we reuse content from external sources (e.g., trace files) that may be subject to different licenses even if not explicitly pointed out.
Can I use Zeek in my commercial products?
Yes, no problem. Indeed, we encourage you to do so. With itsBSDlicense, there’s no restriction on integrating or bundling Zeek with your product in whatever way you see fit; in particular you donotneed to publish your modifications if you’d rather not. That said, we would certainly appreciate if you credited the Zeek Project, or could at least tell us where it’s being used. If you develop custom functionality that might be useful to others, please consider contributing it back to the Zeek Project.Please note that therearerestrictions on how you can refer to your modified Zeek version; see next question.
What are the rules for using the Zeek or Bro name or logo?
In order to protect users’ trust in the system, the Zeek Project reserves the rights to the Zeek name and logo, and similarly for the older Bro name and logo. While generally we are happy to give people permission to use them under many circumstances, we maintain the right to decide on a case-by-case basis. For more information, please see our guidelines for using the Zeek and Bro marks.
Why does v2.4 fail to build on Mac OS X 10.11?
If you have problems building Zeek onOSX 10.11, then you need to install OpenSSL from your preferredOSX package manager (Homebrew, MacPorts, etc.). If Zeek still doesn’t build, then you may need to specify the path to your installation of openssl (e.g. if you’re using Homebrew), try:
Network cards and taps, packet capture questions
Here are some pointers to more information:
  • A lot of this topic is covered withinload balancing.
  • TheNSMWikihas a page onCollecting Datafor different OSes.
Two older papers on packet capture with commodity hardware of the time. The hardware may be outdated. The methods may still be helpful.
  • AnIMC2010 paperby Lothar Braun et al. evaluates packet capture performance on commodity hardware
  • Fabian Schneider’s research onPacket Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware
How can I reduce the amount of CaptureLoss or Dropped_Packets notices?
There are two kinds of loss reported by Zeek:
  • Dropped packets reported by the capture library, example:
  • Capture loss reported by theTCPanalyzer, example:
Dropped packets will cause both locations to report loss, but capture loss can be caused by an issue upstream from Zeek and can be reported without any dropped packets.The first step in troubleshooting loss is to determine if you are having an upstream problem or a local problem. Look at the values reported for Dropped_Packets as well as CaptureLoss. Your system will have one of two conditions:
  • Capture loss with dropped packets
  • Capture loss without dropped packets
Capture loss with dropped packets
If you are seeing Dropped_Packets alerts then Zeek is not keeping up with the data rate. There are many potential solutions to this problem:
  • Run multiple workers on a single server usingload balancing
  • If you are running multiple workers, make sureCPUaffinity is properly configured
  • Temporarily disable any locally written scripts that might be causing performance problems
Capture loss without dropped packets
If you are seeing CaptureLoss notices without corresponding Dropped_Packets notices there are two common causes:
  • An upstream device is dropping packets
  • The Ethernet interface on the Zeek worker is improperly configured
It is common for an upstream device to drop packets when usingSPANports instead of dedicated passive taps.If the Ethernet interface on a Zeek worker is not properly configured Zeek may be unable to capture an entireIPpacket. Some NICs offload the reassembly of traffic into “superpackets” so that fewer packets are passed up the stack (e.g. “TCPsegmentation offload”, or “generic segmentation offload”). This causes the capturing application to observe packets much larger than theMTUof the interface from which they were captured, and may interfere with the maximum packet capture length, orsnaplen. Therefore it’s a good idea to disable an interface’s offloading features.You can use theethtoolprogram on Linux to view and disable offloading features of an interface. See this page for more explicit directions:http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
How can I configure load balancing?
Although load balancing is a complex subject, we provide a few configuration suggestions here.
What does an error message like internal error: NB-DNS error mean?
That often means that DNS is not set up correctly on the system running Zeek. Try verifying from the command line that DNS lookups work, e.g., host http://www.google.com.
What is the recommended way to install Zeek on OpenBSD?
The recommended way to install Zeek on OpenBSD 6.1 (or newer) is to simply install the “bro” package:In addition to installing Zeek, this will also automatically install all packages required by Zeek. After installing Zeek, the configuration files will be in the /etc/bro directory.
How can I build Zeek from source on OpenBSD?
In order to build Zeek from source on OpenBSD 6.2 (or newer), first install the required packages:If the pkg_add command prompts you to choose a python version, then the recommended version is 2.7.Geolocation ofIPaddresses can optionally be added to Zeek by installing these packages:Before attempting to build Zeek, make sure to set the following environment variable:
How do I update my Zeek installation from git master?
Assuming that you’ve already retrieved the Zeek source code with a recursive git clone, then in the repository directory type:Then, you’ll need to rebuild Zeek. Before doing “make install” you need to first stop all running Zeek instances (if using BroControl, this is accomplished with a “broctl stop”).
How do BroControl options affect Zeek script variables?
Some (but not all) BroControl options override a corresponding Zeek script variable. For example, setting the BroControl option “LogRotationInterval” will override the value of the Zeek script variable “Log::default_rotation_interval”. See the BroControl documentation to find out which BroControl options override Zeek script variables, and for more discussion on site-specific customization.
How can I set a custom capture filter?
There are two valid solutions to this. You can either statically override the filter via the broargs option in broctl, or add to the capture_filters and restrict_filters variables in a local script.If you’re using BroControl, then you can add something like this to your broctl.cfg:Alternatively, you can add something like this to one of your local Zeek scripts:If you build up what you want to capture this way it gives Zeek the chance to automatically build yourBPFfilters for you, including checking each component of your filter for mistakes which it will then detect at startup and tell you which component of your filter failed. If you use the above lines to indicate the traffic you’d like to allow into Zeek, you can also set restriction filters to limit something a bit. For instance, in that 1.0.0.0/24 subnet you might want to ignore a single host. You could implement that by adding the following lines:The filter that would ultimately be constructed by those lines is:One thing to be careful with this though is that generally when you take the stance that you are doing filtering you have to be really careful to understand your traffic. If you have any traffic withMPLSorVLANtags, the filters given here won’t allow that traffic through. If you’re interested in doingARPanalysis you won’t see those packets either. Same goes for IPv6.Filtering is an area where we’ve tried to make things simple by running a fully open filter, but there are a lot of dragons when you stray from that path.

The Bro Mac Os X

How do I customize the output format of ASCII logs?
Formatting the output of ASCII logs is covered in Zeek’s documentation on the ASCIIlog writer.
Do you have any packet traces I can use with Zeek?
We collect a set of publicly available packet traces on our Traces page.
How can I identify backscatter?
Identifying backscatter via connections labeled as OTH is not a reliable means to detect backscatter. Backscatter is however visible by interpreting the contents of the history field in the conn.log file. The basic idea is to watch for connections that never had an initial SYN but started instead with a SYN-ACK or RST (though this latter generally is just discarded). Here are some history fields which provide backscatter examples: hAFf, r. Refer to the conn protocol analysis scripts to interpret the individual character meanings in the history field.
Is there help for understanding Zeek’s resource consumption?
There are two scripts that collect statistics on resource usage: misc/stats.bro and misc/profiling.bro. The former is quite lightweight, while the latter should only be used for debugging.
How can I capture packets as an unprivileged user?
Normally, unprivileged users cannot capture packets from a network interface, which means they would not be able to use Zeek to read/analyze live traffic. However, there are operating system specific ways to enable packet capture permission for non-root users, which is worth doing in the context of using Zeek to monitor live traffic.
With Linux Capabilities
Fully implemented since Linux kernel 2.6.24, capabilities are a way of parceling superuser privileges into distinct units. Attach capabilities required to capture packets to thebroexecutable file like this:Now any unprivileged user should have the capability to capture packets using Zeek provided that they have the traditional file permissions to read/execute thebrobinary.
With BPF Devices
Systems using Berkeley Packet Filter (BPF) (e.g. FreeBSD&MacOSX) can allow users with read access to aBPFdevice to capture packets from it using libpcap.
  • Example of manually changingBPFdevice permissions to allow users in theadmingroup to capture packets:
  • Example of configuring devfs to set permissions ofBPFdevices, adding entries to/etc/devfs.confto grantadmingroup permission to capture packets:

Note

As of MacOSX 10.6, theBPFdevice is on devfs, but the used version of devfs isn’t capable of setting the device permissions. The permissions can be changed manually, but they will not survive a reboot.

Why isn’t Zeek producing the logs I expect? (a note about checksums)
Normally, Zeek’s event engine will discard packets which don’t have valid checksums. This can be a problem if one wants to analyze locally generated/captured traffic on a system that offloads checksumming to the network adapter. In that case, all transmitted/captured packets will have bad checksums because they haven’t yet been calculated by theNIC

Mac Bros Roofing

, thus such packets will not undergo analysis defined in Zeek policy scripts as they normally would. Bad checksums in traces may also be a result of some packet alteration tools.There are three options to workaround such situations and ignore bad checksums:

  1. The-Ccommand line option tobro.

  2. An option calledignore_checksumsthat can be redefined at the policy script layer (e.g. in your$PREFIX/share/bro/site/local.bro):

  3. An alternative is to disable checksum offloading for your network adapter, but this is not always possible or desirable. Disable checksum offloading on theNICusing ethtool--offload<int> rx off tx offso the correct checksums are generated to begin with. Replacing<int>with the name of your interface.

What do Zeek’s Notices mean?
The Bro Notice Index lists Zeek Notices and links to further documentation on what the notices mean.
What other software packages use Zeek?
There are a number of software packages that include or work with Zeek. See our list of related software for more information. For support, contact the corresponding developer.
Can I write an analyzer for that?
The short answer is “it depends”.In general, if Zeekseesa packet you can write an analyzer for it. Yes, Zeek is that flexible.The longer answer: It really depends. On what you want to analyze, on the skill level, your knowldge of the network stack, the protocol, Zeek, C++, Zeek scripting, and more.
  • Every protocol above the transport layer is relatively easy to analyze. Zeek offers a tool that supports writing analyzers, calledBinPac. There is aBinPac tutorialto help you create an analyzer.
  • BinPac cannot be used for protocol analyzers on the layers below application layer. Especially for layer two this task is difficult. A starting point could be ourARPanalyzer.