base/protocols/quic/spicy-events.zeek

Events generated by the QUIC analyzer.

See See RFC9000.

Summary

Events

QUIC::connection_close_frame: event

Generated for a QUIC CONNECTION_CLOSE frame.

QUIC::handshake_packet: event

Generated for a QUIC Handshake packet.

QUIC::initial_packet: event

Generated for a QUIC Initial packet.

QUIC::retry_packet: event

Generated for a QUIC Retry packet.

QUIC::unhandled_version: event

Generated for an unrecognized QUIC version.

QUIC::zero_rtt_packet: event

Generated for a QUIC 0-RTT packet.

Detailed Interface

Events

QUIC::connection_close_frame
Type

event (c: connection, is_orig: bool, version: count, dcid: string, scid: string, error_code: count, reason_phrase: string)

Generated for a QUIC CONNECTION_CLOSE frame.

Parameters
  • c – The connection.

  • is_orig – True if the packet is from the the connection’s originator.

  • version – The Version field.

  • dcid – The Destination Connection ID field.

  • scid – The Source Connection ID field.

  • error_code – Count indicating the reason for closing this connection.

  • reason_phrase – Additional diagnostic information for the closure.

Note

Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.

QUIC::handshake_packet
Type

event (c: connection, is_orig: bool, version: count, dcid: string, scid: string)

Generated for a QUIC Handshake packet.

Parameters
  • c – The connection.

  • is_orig – True if the packet is from the the connection’s originator.

  • version – The Version field.

  • dcid – The Destination Connection ID field.

  • scid – The Source Connection ID field.

QUIC::initial_packet
Type

event (c: connection, is_orig: bool, version: count, dcid: string, scid: string)

Generated for a QUIC Initial packet.

Parameters
  • c – The connection.

  • is_orig – True if the packet is from the the connection’s originator.

  • version – The Version field.

  • dcid – The Destination Connection ID field.

  • scid – The Source Connection ID field.

QUIC::retry_packet
Type

event (c: connection, is_orig: bool, version: count, dcid: string, scid: string, retry_token: string, retry_integrity_tag: string)

Generated for a QUIC Retry packet.

Parameters
  • c – The connection.

  • is_orig – True if the packet is from the the connection’s originator.

  • version – The Version field.

  • dcid – The Destination Connection ID field.

  • scid – The Source Connection ID field.

  • retry_token – The Retry Token field.

  • integrity_tag – The Retry Integrity Tag field.

QUIC::unhandled_version
Type

event (c: connection, is_orig: bool, version: count, dcid: string, scid: string)

Generated for an unrecognized QUIC version.

Parameters
  • c – The connection.

  • is_orig – True if the packet is from the the connection’s originator.

  • version – The Version field.

  • dcid – The Destination Connection ID field.

  • scid – The Source Connection ID field.

QUIC::zero_rtt_packet
Type

event (c: connection, is_orig: bool, version: count, dcid: string, scid: string)

Generated for a QUIC 0-RTT packet.

Parameters
  • c – The connection.

  • is_orig – True if the packet is from the the connection’s originator.

  • version – The Version field.

  • dcid – The Destination Connection ID field.

  • scid – The Source Connection ID field.