base/bif/plugins/Zeek_ICMP.events.bif.zeek
- GLOBAL
- Namespace
GLOBAL
Summary
Events
Generated for ICMP echo reply messages. |
|
Generated for ICMP echo request messages. |
|
Generated for all ICMPv6 error messages that are not handled separately with dedicated events. |
|
Generated for ICMP neighbor advertisement messages. |
|
Generated for ICMP neighbor solicitation messages. |
|
Generated for ICMPv6 packet too big messages. |
|
Generated for ICMPv6 parameter problem messages. |
|
Generated for ICMP redirect messages. |
|
Generated for ICMP router advertisement messages. |
|
Generated for ICMP router solicitation messages. |
|
Generated for all ICMP messages that are not handled separately with dedicated ICMP events. |
|
The same as |
|
Generated for ICMP time exceeded messages. |
|
Generated for ICMP destination unreachable messages. |
Detailed Interface
Events
- icmp_echo_reply
-
Generated for ICMP echo reply messages.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
id – The echo reply identifier.
seq – The echo reply sequence number.
payload – The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.
See also:
icmp_echo_request
- icmp_echo_request
-
Generated for ICMP echo request messages.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
id – The echo request identifier.
seq – The echo request sequence number.
payload – The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.
See also:
icmp_echo_reply
- icmp_error_message
- Type
event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)
Generated for all ICMPv6 error messages that are not handled separately with dedicated events. Zeek’s ICMP analyzer handles a number of ICMP error messages directly with dedicated events. This event acts as a fallback for those it doesn’t.
See Wikipedia for more information about the ICMPv6 protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
code – The ICMP code of the error message.
context – A record with specifics of the original packet that the message refers to.
See also:
icmp_unreachable
,icmp_packet_too_big
,icmp_time_exceeded
,icmp_parameter_problem
- icmp_neighbor_advertisement
- Type
event
(c:connection
, info:icmp_info
, router:bool
, solicited:bool
, override:bool
, tgt:addr
, options:icmp6_nd_options
)
Generated for ICMP neighbor advertisement messages.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
router – Flag indicating the sender is a router.
solicited – Flag indicating advertisement is in response to a solicitation.
override – Flag indicating advertisement should override existing caches.
tgt – the Target Address in the soliciting message or the address whose link-layer address has changed for unsolicited adverts.
options – Any Neighbor Discovery options included with message (RFC 4861).
See also:
icmp_router_solicitation
,icmp_router_advertisement
,icmp_neighbor_solicitation
,icmp_redirect
- icmp_neighbor_solicitation
- Type
event
(c:connection
, info:icmp_info
, tgt:addr
, options:icmp6_nd_options
)
Generated for ICMP neighbor solicitation messages.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
tgt – The IP address of the target of the solicitation.
options – Any Neighbor Discovery options included with message (RFC 4861).
See also:
icmp_router_solicitation
,icmp_router_advertisement
,icmp_neighbor_advertisement
,icmp_redirect
- icmp_packet_too_big
- Type
event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)
Generated for ICMPv6 packet too big messages.
See Wikipedia for more information about the ICMPv6 protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
code – The ICMP code of the too big message.
context – A record with specifics of the original packet that the message refers to. Too big messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the too big includes only a partial IP header for some reason, no fields of context will be filled out.
See also:
icmp_error_message
,icmp_unreachable
,icmp_time_exceeded
,icmp_parameter_problem
- icmp_parameter_problem
- Type
event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)
Generated for ICMPv6 parameter problem messages.
See Wikipedia for more information about the ICMPv6 protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
code – The ICMP code of the parameter problem message.
context – A record with specifics of the original packet that the message refers to. Parameter problem messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the parameter problem includes only a partial IP header for some reason, no fields of context will be filled out.
See also:
icmp_error_message
,icmp_unreachable
,icmp_packet_too_big
,icmp_time_exceeded
- icmp_redirect
- Type
event
(c:connection
, info:icmp_info
, tgt:addr
, dest:addr
, options:icmp6_nd_options
)
Generated for ICMP redirect messages.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
tgt – The address that is supposed to be a better first hop to use for ICMP Destination Address.
dest – The address of the destination which is redirected to the target.
options – Any Neighbor Discovery options included with message (RFC 4861).
See also:
icmp_router_solicitation
,icmp_router_advertisement
,icmp_neighbor_solicitation
,icmp_neighbor_advertisement
- icmp_router_advertisement
- Type
event
(c:connection
, info:icmp_info
, cur_hop_limit:count
, managed:bool
, other:bool
, home_agent:bool
, pref:count
, proxy:bool
, rsv:count
, router_lifetime:interval
, reachable_time:interval
, retrans_timer:interval
, options:icmp6_nd_options
)
Generated for ICMP router advertisement messages.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
cur_hop_limit – The default value that should be placed in Hop Count field for outgoing IP packets.
managed – Managed address configuration flag, RFC 4861.
other – Other stateful configuration flag, RFC 4861.
home_agent – Mobile IPv6 home agent flag, RFC 3775.
pref – Router selection preferences, RFC 4191.
proxy – Neighbor discovery proxy flag, RFC 4389.
rsv – Remaining two reserved bits of router advertisement flags.
router_lifetime – How long this router should be used as a default router.
reachable_time – How long a neighbor should be considered reachable.
retrans_timer – How long a host should wait before retransmitting.
options – Any Neighbor Discovery options included with message (RFC 4861).
See also:
icmp_router_solicitation
,icmp_neighbor_solicitation
,icmp_neighbor_advertisement
,icmp_redirect
- icmp_router_solicitation
- Type
event
(c:connection
, info:icmp_info
, options:icmp6_nd_options
)
Generated for ICMP router solicitation messages.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
options – Any Neighbor Discovery options included with message (RFC 4861).
See also:
icmp_router_advertisement
,icmp_neighbor_solicitation
,icmp_neighbor_advertisement
,icmp_redirect
- icmp_sent
- Type
event
(c:connection
, info:icmp_info
)
Generated for all ICMP messages that are not handled separately with dedicated ICMP events. Zeek’s ICMP analyzer handles a number of ICMP messages directly with dedicated events. This event acts as a fallback for those it doesn’t.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
See also:
icmp_error_message
,icmp_sent_payload
- icmp_sent_payload
- Type
event
(c:connection
, info:icmp_info
, payload:string
)
The same as
icmp_sent
except containing the ICMP payload.- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
payload – The payload of the ICMP message.
See also:
icmp_error_message
,icmp_sent_payload
- icmp_time_exceeded
- Type
event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)
Generated for ICMP time exceeded messages.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
code – The ICMP code of the exceeded message.
context – A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the exceeded includes only a partial IP header for some reason, no fields of context will be filled out.
See also:
icmp_error_message
,icmp_unreachable
,icmp_packet_too_big
,icmp_parameter_problem
- icmp_unreachable
- Type
event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)
Generated for ICMP destination unreachable messages.
See Wikipedia for more information about the ICMP protocol.
- Parameters
c – The connection record for the corresponding ICMP flow.
icmp – Additional ICMP-specific information augmenting the standard connection record c.
info – Additional ICMP-specific information augmenting the standard connection record c.
code – The ICMP code of the unreachable message.
context – A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the unreachable includes only a partial IP header for some reason, no fields of context will be filled out.
See also:
icmp_error_message
,icmp_packet_too_big
,icmp_time_exceeded
,icmp_parameter_problem