policy/misc/unknown-protocols.zeek
- UnknownProtocol
This script logs information about packet protocols that Zeek doesn’t know how to process. Mostly these come from packet analysis plugins when they attempt to forward to the next analyzer, but they also can originate from non-packet analyzers.
- Namespace:
UnknownProtocol
- Imports:
Summary
Types
Redefinitions
Hooks
Detailed Interface
Types
- UnknownProtocol::Info
- Type:
-
- ts:
time
&log
Timestamp for when the measurement occurred.
- analyzer:
string
&log
The string name of the analyzer attempting to forward the protocol.
- protocol_id:
string
&log
The identifier of the protocol being forwarded in hex notation.
- protocol_id_num:
count
The identifier of the protocol being forwarded as count. Note: The count value is not logged by default. It is provided for easy access in log policy hooks.
- first_bytes:
string
&log
A certain number of bytes at the start of the unknown protocol’s header.
- analyzer_history:
vector
ofstring
&log
The chain of packet analyzers that processed the packet up to this point. This includes the history of encapsulating packets in case of tunneling.
- ts: