base/bif/plugins/Zeek_ICMP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

icmp_echo_reply: event

Generated for ICMP echo reply messages.

icmp_echo_request: event

Generated for ICMP echo request messages.

icmp_error_message: event

Generated for all ICMPv6 error messages that are not handled separately with dedicated events.

icmp_neighbor_advertisement: event

Generated for ICMP neighbor advertisement messages.

icmp_neighbor_solicitation: event

Generated for ICMP neighbor solicitation messages.

icmp_packet_too_big: event

Generated for ICMPv6 packet too big messages.

icmp_parameter_problem: event

Generated for ICMPv6 parameter problem messages.

icmp_redirect: event

Generated for ICMP redirect messages.

icmp_router_advertisement: event

Generated for ICMP router advertisement messages.

icmp_router_solicitation: event

Generated for ICMP router solicitation messages.

icmp_sent: event

Generated for all ICMP messages that are not handled separately with dedicated ICMP events.

icmp_sent_payload: event

The same as icmp_sent except containing the ICMP payload.

icmp_time_exceeded: event

Generated for ICMP time exceeded messages.

icmp_unreachable: event

Generated for ICMP destination unreachable messages.

Detailed Interface

Events

icmp_echo_reply
Type

event (c: connection, info: icmp_info, id: count, seq: count, payload: string)

Generated for ICMP echo reply messages.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • id – The echo reply identifier.

  • seq – The echo reply sequence number.

  • payload – The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.

See also: icmp_echo_request

icmp_echo_request
Type

event (c: connection, info: icmp_info, id: count, seq: count, payload: string)

Generated for ICMP echo request messages.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • id – The echo request identifier.

  • seq – The echo request sequence number.

  • payload – The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.

See also: icmp_echo_reply

icmp_error_message
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for all ICMPv6 error messages that are not handled separately with dedicated events. Zeek’s ICMP analyzer handles a number of ICMP error messages directly with dedicated events. This event acts as a fallback for those it doesn’t.

See Wikipedia for more information about the ICMPv6 protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • code – The ICMP code of the error message.

  • context – A record with specifics of the original packet that the message refers to.

See also: icmp_unreachable, icmp_packet_too_big, icmp_time_exceeded, icmp_parameter_problem

icmp_neighbor_advertisement
Type

event (c: connection, info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)

Generated for ICMP neighbor advertisement messages.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • router – Flag indicating the sender is a router.

  • solicited – Flag indicating advertisement is in response to a solicitation.

  • override – Flag indicating advertisement should override existing caches.

  • tgt – the Target Address in the soliciting message or the address whose link-layer address has changed for unsolicited adverts.

  • options – Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_solicitation, icmp_redirect

icmp_neighbor_solicitation
Type

event (c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options)

Generated for ICMP neighbor solicitation messages.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • tgt – The IP address of the target of the solicitation.

  • options – Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_advertisement, icmp_redirect

icmp_packet_too_big
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for ICMPv6 packet too big messages.

See Wikipedia for more information about the ICMPv6 protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • code – The ICMP code of the too big message.

  • context – A record with specifics of the original packet that the message refers to. Too big messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the too big includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_unreachable, icmp_time_exceeded, icmp_parameter_problem

icmp_parameter_problem
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for ICMPv6 parameter problem messages.

See Wikipedia for more information about the ICMPv6 protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • code – The ICMP code of the parameter problem message.

  • context – A record with specifics of the original packet that the message refers to. Parameter problem messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the parameter problem includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_unreachable, icmp_packet_too_big, icmp_time_exceeded

icmp_redirect
Type

event (c: connection, info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options)

Generated for ICMP redirect messages.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • tgt – The address that is supposed to be a better first hop to use for ICMP Destination Address.

  • dest – The address of the destination which is redirected to the target.

  • options – Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_solicitation, icmp_neighbor_advertisement

icmp_router_advertisement
Type

event (c: connection, info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)

Generated for ICMP router advertisement messages.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • cur_hop_limit – The default value that should be placed in Hop Count field for outgoing IP packets.

  • managed – Managed address configuration flag, RFC 4861.

  • other – Other stateful configuration flag, RFC 4861.

  • home_agent – Mobile IPv6 home agent flag, RFC 3775.

  • pref – Router selection preferences, RFC 4191.

  • proxy – Neighbor discovery proxy flag, RFC 4389.

  • rsv – Remaining two reserved bits of router advertisement flags.

  • router_lifetime – How long this router should be used as a default router.

  • reachable_time – How long a neighbor should be considered reachable.

  • retrans_timer – How long a host should wait before retransmitting.

  • options – Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_neighbor_solicitation, icmp_neighbor_advertisement, icmp_redirect

icmp_router_solicitation
Type

event (c: connection, info: icmp_info, options: icmp6_nd_options)

Generated for ICMP router solicitation messages.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • options – Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_advertisement, icmp_neighbor_solicitation, icmp_neighbor_advertisement, icmp_redirect

icmp_sent
Type

event (c: connection, info: icmp_info)

Generated for all ICMP messages that are not handled separately with dedicated ICMP events. Zeek’s ICMP analyzer handles a number of ICMP messages directly with dedicated events. This event acts as a fallback for those it doesn’t.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

See also: icmp_error_message, icmp_sent_payload

icmp_sent_payload
Type

event (c: connection, info: icmp_info, payload: string)

The same as icmp_sent except containing the ICMP payload.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • payload – The payload of the ICMP message.

See also: icmp_error_message, icmp_sent_payload

icmp_time_exceeded
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for ICMP time exceeded messages.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • code – The ICMP code of the exceeded message.

  • context – A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the exceeded includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_unreachable, icmp_packet_too_big, icmp_parameter_problem

icmp_unreachable
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for ICMP destination unreachable messages.

See Wikipedia for more information about the ICMP protocol.

Parameters
  • c – The connection record for the corresponding ICMP flow.

  • icmp – Additional ICMP-specific information augmenting the standard connection record c.

  • info – Additional ICMP-specific information augmenting the standard connection record c.

  • code – The ICMP code of the unreachable message.

  • context – A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the unreachable includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_packet_too_big, icmp_time_exceeded, icmp_parameter_problem