Packet Analyzers

PacketAnalyzer::Tag
Type:

enum

PacketAnalyzer::ANALYZER_ARP
PacketAnalyzer::ANALYZER_AYIYA
PacketAnalyzer::ANALYZER_ETHERNET
PacketAnalyzer::ANALYZER_FDDI
PacketAnalyzer::ANALYZER_GENEVE
PacketAnalyzer::ANALYZER_GRE
PacketAnalyzer::ANALYZER_GTPV1
PacketAnalyzer::ANALYZER_ICMP
PacketAnalyzer::ANALYZER_IEEE802_11
PacketAnalyzer::ANALYZER_IEEE802_11_RADIO
PacketAnalyzer::ANALYZER_IP
PacketAnalyzer::ANALYZER_IPTUNNEL
PacketAnalyzer::ANALYZER_LINUXSLL
PacketAnalyzer::ANALYZER_LINUXSLL2
PacketAnalyzer::ANALYZER_LLC
PacketAnalyzer::ANALYZER_MPLS
PacketAnalyzer::ANALYZER_NFLOG
PacketAnalyzer::ANALYZER_NOVELL_802_3
PacketAnalyzer::ANALYZER_NULL
PacketAnalyzer::ANALYZER_PBB
PacketAnalyzer::ANALYZER_PPP
PacketAnalyzer::ANALYZER_PPPOE
PacketAnalyzer::ANALYZER_PPPSERIAL
PacketAnalyzer::ANALYZER_ROOT
PacketAnalyzer::ANALYZER_SKIP
PacketAnalyzer::ANALYZER_SNAP
PacketAnalyzer::ANALYZER_TCP
PacketAnalyzer::ANALYZER_TEREDO
PacketAnalyzer::ANALYZER_UDP
PacketAnalyzer::ANALYZER_UNKNOWN_IP_TRANSPORT
PacketAnalyzer::ANALYZER_VLAN
PacketAnalyzer::ANALYZER_VNTAG
PacketAnalyzer::ANALYZER_VXLAN

Zeek::ARP

ARP packet analyzer

Components

PacketAnalyzer::ANALYZER_ARP

Events

arp_request
Type:

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Parameters:

  • mac_src – The request’s source MAC address.

  • mac_dst – The request’s destination MAC address.

  • SPA – The sender protocol address.

  • SHA – The sender hardware address.

  • TPA – The target protocol address.

  • THA – The target hardware address.

See also: arp_reply, bad_arp

arp_reply
Type:

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Parameters:

  • mac_src – The reply’s source MAC address.

  • mac_dst – The reply’s destination MAC address.

  • SPA – The sender protocol address.

  • SHA – The sender hardware address.

  • TPA – The target protocol address.

  • THA – The target hardware address.

See also: arp_request, bad_arp

bad_arp
Type:

event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

Parameters:

  • SPA – The sender protocol address.

  • SHA – The sender hardware address.

  • TPA – The target protocol address.

  • THA – The target hardware address.

  • explanation – A short description of why the ARP packet is considered “bad”.

See also: arp_reply, arp_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::AYIYA

AYIYA packet analyzer

Components

PacketAnalyzer::ANALYZER_AYIYA

Zeek::Ethernet

Ethernet packet analyzer

Components

PacketAnalyzer::ANALYZER_ETHERNET

Zeek::FDDI

FDDI packet analyzer

Components

PacketAnalyzer::ANALYZER_FDDI

Zeek::Geneve

Geneve packet analyzer

Components

PacketAnalyzer::ANALYZER_GENEVE

Events

geneve_packet
Type:

event (outer: connection, inner: pkt_hdr, vni: count)

Generated for any packet encapsulated in a Geneve tunnel. See RFC 8926 for more information about the Geneve protocol.

Parameters:

  • outer – The Geneve tunnel connection.

  • inner – The Geneve-encapsulated Ethernet packet header and transport header.

  • vni – Geneve Network Identifier.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

Zeek::GRE

GRE packet analyzer

Components

PacketAnalyzer::ANALYZER_GRE

Zeek::GTPv1

GTPv1 analyzer

Components

PacketAnalyzer::ANALYZER_GTPV1

Events

new_gtpv1_state
Type:

event (c: connection)

Generated when a new GTP analyzer is instantiated for a connection.

This event exists to install a connection removal hook to clear internal per-connection GTPv1 state.

Parameters:

c – The connection for which the analyzer is instantiated.

gtpv1_message
Type:

event (c: connection, hdr: gtpv1_hdr)

Generated for any GTP message with a GTPv1 header.

Parameters:

  • c – The connection over which the message is sent.

  • hdr – The GTPv1 header.

gtpv1_g_pdu_packet
Type:

event (outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr)

Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.

Parameters:

  • outer – The GTP outer tunnel connection.

  • inner_gtp – The GTP header.

  • inner_ip – The inner IP and transport layer packet headers.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

gtpv1_create_pdp_ctx_request
Type:

event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements)

Generated for GTPv1-C Create PDP Context Request messages.

Parameters:

  • c – The connection over which the message is sent.

  • hdr – The GTPv1 header.

  • elements – The set of Information Elements comprising the message.

gtpv1_create_pdp_ctx_response
Type:

event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements)

Generated for GTPv1-C Create PDP Context Response messages.

Parameters:

  • c – The connection over which the message is sent.

  • hdr – The GTPv1 header.

  • elements – The set of Information Elements comprising the message.

gtpv1_update_pdp_ctx_request
Type:

event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements)

Generated for GTPv1-C Update PDP Context Request messages.

Parameters:

  • c – The connection over which the message is sent.

  • hdr – The GTPv1 header.

  • elements – The set of Information Elements comprising the message.

gtpv1_update_pdp_ctx_response
Type:

event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements)

Generated for GTPv1-C Update PDP Context Response messages.

Parameters:

  • c – The connection over which the message is sent.

  • hdr – The GTPv1 header.

  • elements – The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_request
Type:

event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements)

Generated for GTPv1-C Delete PDP Context Request messages.

Parameters:

  • c – The connection over which the message is sent.

  • hdr – The GTPv1 header.

  • elements – The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_response
Type:

event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements)

Generated for GTPv1-C Delete PDP Context Response messages.

Parameters:

  • c – The connection over which the message is sent.

  • hdr – The GTPv1 header.

  • elements – The set of Information Elements comprising the message.

Functions

PacketAnalyzer::GTPV1::remove_gtpv1_connection
Type:

function (cid: conn_id) : bool

Zeek::IEEE802_11

IEEE 802.11 packet analyzer

Components

PacketAnalyzer::ANALYZER_IEEE802_11

Zeek::IEEE802_11_Radio

IEEE 802.11 Radiotap packet analyzer

Components

PacketAnalyzer::ANALYZER_IEEE802_11_RADIO

Zeek::IP

Packet analyzer for IP fallback (v4 or v6)

Components

PacketAnalyzer::ANALYZER_IP

Zeek::IPTunnel

IPTunnel packet analyzer

Components

PacketAnalyzer::ANALYZER_IPTUNNEL

Zeek::LinuxSLL

Linux cooked capture (SLL) packet analyzer

Components

PacketAnalyzer::ANALYZER_LINUXSLL

Zeek::LinuxSLL2

Linux cooked capture version 2 (SLL2) packet analyzer

Components

PacketAnalyzer::ANALYZER_LINUXSLL2

Zeek::LLC

LLC packet analyzer

Components

PacketAnalyzer::ANALYZER_LLC

Zeek::MPLS

MPLS packet analyzer

Components

PacketAnalyzer::ANALYZER_MPLS

Zeek::NFLog

NFLog packet analyzer

Components

PacketAnalyzer::ANALYZER_NFLOG

Zeek::NOVELL_802_3

Novell 802.3 variantx packet analyzer

Components

PacketAnalyzer::ANALYZER_NOVELL_802_3

Zeek::Null

Null packet analyzer

Components

PacketAnalyzer::ANALYZER_NULL

Zeek::PBB

PBB packet analyzer

Components

PacketAnalyzer::ANALYZER_PBB

Zeek::PPP

PPP packet analyzer

Components

PacketAnalyzer::ANALYZER_PPP

Zeek::PPPoE

PPPoE packet analyzer

Components

PacketAnalyzer::ANALYZER_PPPOE

Zeek::PPPSerial

PPPSerial packet analyzer

Components

PacketAnalyzer::ANALYZER_PPPSERIAL

Zeek::Root

Root packet analyzer

Components

PacketAnalyzer::ANALYZER_ROOT

Zeek::Skip

Skip packet analyzer

Components

PacketAnalyzer::ANALYZER_SKIP

Zeek::SNAP

SNAP packet analyzer

Components

PacketAnalyzer::ANALYZER_SNAP

Zeek::Teredo

Teredo packet analyzer

Components

PacketAnalyzer::ANALYZER_TEREDO

Events

teredo_packet
Type:

event (outer: connection, inner: teredo_hdr)

Generated for any IPv6 packet encapsulated in a Teredo tunnel. See RFC 4380 for more information about the Teredo protocol.

Parameters:

  • outer – The Teredo tunnel connection.

  • inner – The Teredo-encapsulated IPv6 packet header and transport header.

See also: teredo_authentication, teredo_origin_indication, teredo_bubble

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

new_teredo_state
Type:

event (c: connection)

Generated when per connection Teredo state is created.

This is primarily useful to install a connection removal hook to clear internal per-connection Teredo state.

Parameters:

c – The Teredo tunnel connection.

teredo_authentication
Type:

event (outer: connection, inner: teredo_hdr)

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo authentication encapsulation method. See RFC 4380 for more information about the Teredo protocol.

Parameters:

  • outer – The Teredo tunnel connection.

  • inner – The Teredo-encapsulated IPv6 packet header and transport header.

See also: teredo_packet, teredo_origin_indication, teredo_bubble

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_origin_indication
Type:

event (outer: connection, inner: teredo_hdr)

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo origin indication encapsulation method. See RFC 4380 for more information about the Teredo protocol.

Parameters:

  • outer – The Teredo tunnel connection.

  • inner – The Teredo-encapsulated IPv6 packet header and transport header.

See also: teredo_packet, teredo_authentication, teredo_bubble

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_bubble
Type:

event (outer: connection, inner: teredo_hdr)

Generated for Teredo bubble packets. That is, IPv6 packets encapsulated in a Teredo tunnel that have a Next Header value of IPPROTO_NONE. See RFC 4380 for more information about the Teredo protocol.

Parameters:

  • outer – The Teredo tunnel connection.

  • inner – The Teredo-encapsulated IPv6 packet header and transport header.

See also: teredo_packet, teredo_authentication, teredo_origin_indication

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

Functions

PacketAnalyzer::TEREDO::remove_teredo_connection
Type:

function (cid: conn_id) : bool

Zeek::VLAN

VLAN packet analyzer

Components

PacketAnalyzer::ANALYZER_VLAN

Zeek::VNTag

VNTag packet analyzer

Components

PacketAnalyzer::ANALYZER_VNTAG

Zeek::VXLAN

VXLAN packet analyzer

Components

PacketAnalyzer::ANALYZER_VXLAN

Events

vxlan_packet
Type:

event (outer: connection, inner: pkt_hdr, vni: count)

Generated for any packet encapsulated in a VXLAN tunnel. See RFC 7348 for more information about the VXLAN protocol.

Parameters:

  • outer – The VXLAN tunnel connection.

  • inner – The VXLAN-encapsulated Ethernet packet header and transport header.

  • vni – VXLAN Network Identifier.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.