contents.zeek¶

Conn¶

This script can be used to extract either the originator’s data or the responders data or both. By default nothing is extracted, and in order to actually extract data the c$extract_orig and/or the c$extract_resp variable must be set to T. One way to achieve this would be to handle the connection_established event elsewhere and set the extract_orig and extract_resp options there. However, there may be trouble with the timing due to event queue delay.

Note

This script does not work well in a cluster context unless it has a remotely mounted disk to write the content files to.

Namespace:	Conn
Imports:	base/utils/files.zeek

Summary¶

Runtime Options¶

`Conn::default_extract`: `bool` `&redef`	If this variable is set to `T`, then all contents of all connections will be extracted.
`Conn::extraction_prefix`: `string` `&redef`	The prefix given to files containing extracted connections as they are opened on disk.

Redefinitions¶

connection: record

Detailed Interface¶

Runtime Options¶

Conn::default_extract¶

Type:	`bool`
Attributes:	`&redef`
Default:	`F`

If this variable is set to T, then all contents of all connections will be extracted.

Conn::extraction_prefix¶

Type:	`string`
Attributes:	`&redef`
Default:	`"contents"`

The prefix given to files containing extracted connections as they are opened on disk.