policy/misc/unknown-protocols.zeek

UnknownProtocol

This script logs information about packet protocols that Zeek doesn’t know how to process. Mostly these come from packet analysis plugins when they attempt to forward to the next analyzer, but they also can originate from non-packet analyzers.

Namespace:

UnknownProtocol

Imports:

base/frameworks/notice

Summary

Types

UnknownProtocol::Info: record

Redefinitions

Log::ID: enum

Hooks

UnknownProtocol::log_policy: Log::PolicyHook

Detailed Interface

Types

UnknownProtocol::Info
Type:

record

ts: time &log

Timestamp for when the measurement occurred.

analyzer: string &log

The string name of the analyzer attempting to forward the protocol.

protocol_id: string &log

The identifier of the protocol being forwarded in hex notation.

protocol_id_num: count

The identifier of the protocol being forwarded as count. Note: The count value is not logged by default. It is provided for easy access in log policy hooks.

first_bytes: string &log

A certain number of bytes at the start of the unknown protocol’s header.

analyzer_history: vector of string &log

The chain of packet analyzers that processed the packet up to this point. This includes the history of encapsulating packets in case of tunneling.

Hooks

UnknownProtocol::log_policy
Type:

Log::PolicyHook