contents.zeek¶

Conn¶

This script can be used to extract either the originator’s data or the responders data or both. By default nothing is extracted, and in order to actually extract data the c$extract_orig and/or the c$extract_resp variable must be set to T. One way to achieve this would be to handle the connection_established event elsewhere and set the extract_orig and extract_resp options there. However, there may be trouble with the timing due to event queue delay.

Note

This script does not work well in a cluster context unless it has a remotely mounted disk to write the content files to.

Namespace: Conn
Imports: base/utils/files.zeek

Summary¶

Runtime Options¶

`Conn::default_extract`: `bool` `&redef`	If this variable is set to `T`, then all contents of all connections will be extracted.
`Conn::extraction_prefix`: `string` `&redef`	The prefix given to files containing extracted connections as they are opened on disk.

Redefinitions¶

connection: record

New Fields

connection

extract_orig: bool &default = Conn::default_extract &optional

extract_resp: bool &default = Conn::default_extract &optional

Detailed Interface¶

Runtime Options¶

Conn::default_extract¶

Type: bool
Attributes: &redef
Default: F

If this variable is set to T, then all contents of all connections will be extracted.

Conn::extraction_prefix¶

Type: string
Attributes: &redef
Default: "contents"

The prefix given to files containing extracted connections as they are opened on disk.