base/protocols/quic/main.zeek

QUIC

Implements base functionality for QUIC analysis. Generates quic.log.

Namespace:: QUIC
Imports:: base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/quic/consts.zeek

Summary

Runtime Options

QUIC::max_history_length: count &redef

The maximum length of the history field.

Types

QUIC::Info: record

Redefinitions

`Log::ID`: `enum`	`QUIC::LOG`
`connection`: `record`	New Fields: `connection` quic: `QUIC::Info` `&optional`

Events

QUIC::log_quic: event

Hooks

`QUIC::finalize_quic`: `Conn::RemovalHook`
`QUIC::log_policy`: `Log::PolicyHook`

Detailed Interface

Runtime Options

QUIC::max_history_length 

Type:: count
Attributes:: &redef
Default:: 100

The maximum length of the history field.

Types

QUIC::Info 

Type:

Fields:

ts: time &log: Timestamp of first QUIC packet for this entry.

uid: string &log: Unique ID for the connection.

id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.

version: string &log: QUIC version as found in the first INITIAL packet from the client. This will often be “1” or “quicv2”, but see the QUIC::version_strings table for details.

client_initial_dcid: string &log &optional: First Destination Connection ID used by client. This is random and unpredictable, but used for packet protection by client and server.

client_scid: string &log &optional: Client’s Source Connection ID from the first INITIAL packet.

server_scid: string &log &optional: Server chosen Connection ID usually from server’s first INITIAL packet. This is to be used by the client in subsequent packets.

server_name: string &log &optional: Server name extracted from SNI extension in ClientHello packet if available.

client_protocol: string &log &optional: First protocol extracted from ALPN extension in ClientHello packet if available.

history: string &log &default = "" &optional

QUIC history.

Letters have the following meaning with client-sent letters being capitalized:

Letter	Meaning
I	INIT packet
H	HANDSHAKE packet
Z	0RTT packet
R	RETRY packet
C	CONNECTION_CLOSE packet
S	SSL Client/Server Hello
U	Unfamiliar QUIC version

history_state: vector of string

logged: bool &default = F &optional

Events

QUIC::log_quic 

Type:: event (rec: QUIC::Info)

Hooks

QUIC::finalize_quic 

Type:: Conn::RemovalHook

QUIC::log_policy 

Type:: Log::PolicyHook