base/bif/plugins/Zeek_TCP.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Functions

get_contents_file: function

Returns the file handle of the contents file of a connection.

get_orig_seq: function

Get the originator sequence number of a TCP connection.

get_resp_seq: function

Get the responder sequence number of a TCP connection.

set_contents_file: function

Associates a file handle with a connection for writing TCP byte stream contents.

Detailed Interface

Functions

get_contents_file
Type

function (cid: conn_id, direction: count) : file

Returns the file handle of the contents file of a connection.

Parameters
  • cid – The connection ID.

  • direction – Controls what sides of the connection to record. See set_contents_file for possible values.

Returns

The file handle for the contents file of the connection identified by cid. If the connection exists but there is no contents file for direction, then the function generates an error and returns a file handle to stderr.

See also: set_contents_file, set_record_packets, contents_file_write_failure

get_orig_seq
Type

function (cid: conn_id) : count

Get the originator sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).

Parameters

cid – The connection ID.

Returns

The highest sequence number sent by a connection’s originator, or 0 if cid does not point to an active TCP connection.

See also: get_resp_seq

get_resp_seq
Type

function (cid: conn_id) : count

Get the responder sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).

Parameters

cid – The connection ID.

Returns

The highest sequence number sent by a connection’s responder, or 0 if cid does not point to an active TCP connection.

See also: get_orig_seq

set_contents_file
Type

function (cid: conn_id, direction: count, f: file) : bool

Associates a file handle with a connection for writing TCP byte stream contents.

Parameters
  • cid – The connection ID.

  • direction

    Controls what sides of the connection to record. The argument can take one of the four values:

    • CONTENTS_NONE: Stop recording the connection’s content.

    • CONTENTS_ORIG: Record the data sent by the connection originator (often the client).

    • CONTENTS_RESP: Record the data sent by the connection responder (often the server).

    • CONTENTS_BOTH: Record the data sent in both directions. Results in the two directions being intermixed in the file, in the order the data was seen by Zeek.

  • f – The file handle of the file to write the contents to.

Returns

Returns false if cid does not point to an active connection, and true otherwise.

Note

The data recorded to the file reflects the byte stream, not the contents of individual packets. Reordering and duplicates are removed. If any data is missing, the recording stops at the missing data; this can happen, e.g., due to an content_gap event.

See also: get_contents_file, set_record_packets, contents_file_write_failure