traceroute.log
Traceroute is a network diagnostic method by which a system can try to determine the intermediate routing devices between it and a remote system. Implementations exist for all operating systems. The method generally relies on sending Internet Control Message Protocol (ICMP) messages or User Datagram Protocol (UDP) datagrams with incrementing Internet Protocol (IP) time to live (TTL) values. Some custom implementations use TCP, as it is the IP TTL value which is the key to the method. For more on how traceroute works, please consult a networking book.
Zeek ships with a script that tries to identify traceroute activity. The script tracks ICMP time exceeded messages indicating low TTL values.
For full details on each field in the traceroute.log
file, please refer
to Traceroute::Info
.
traceroute.log
The traceroute.log
only contains four fields. Here is an example
excerpt:
{"ts":"2020-12-07T05:14:54.202099Z","src":"192.168.4.48","dst":"213.133.109.134","proto":"udp"}
{"ts":"2020-12-07T05:14:54.367071Z","src":"192.168.4.48","dst":"131.72.76.118","proto":"icmp"}
{"ts":"2020-12-07T05:25:13.222095Z","src":"192.168.4.48","dst":"216.113.20.1","proto":"udp"}
{"ts":"2020-12-07T05:30:58.502092Z","src":"192.168.4.48","dst":"193.0.14.129","proto":"udp"}
Beyond the timestamp, source IP address, and destination IP address, the only
remaining field is the protocol, proto
. This field indicates the protocol
that was used by the traceroute program. In the second entry,
traceroute used ICMP. In the other three cases,
traceroute used UDP.
Conclusion
The traceroute.log
may not be enabled by default on your Zeek
installation. It is useful if you want to identify systems using the method to
try to enumerate routing devices between the initiator and the target.