Packet Analyzers

PacketAnalyzer::Tag
Type

enum

PacketAnalyzer::ANALYZER_ARP
PacketAnalyzer::ANALYZER_ETHERNET
PacketAnalyzer::ANALYZER_FDDI
PacketAnalyzer::ANALYZER_GRE
PacketAnalyzer::ANALYZER_IEEE802_11
PacketAnalyzer::ANALYZER_IEEE802_11_RADIO
PacketAnalyzer::ANALYZER_IP
PacketAnalyzer::ANALYZER_IPTUNNEL
PacketAnalyzer::ANALYZER_LINUXSLL
PacketAnalyzer::ANALYZER_MPLS
PacketAnalyzer::ANALYZER_NFLOG
PacketAnalyzer::ANALYZER_NULL
PacketAnalyzer::ANALYZER_PPPOE
PacketAnalyzer::ANALYZER_PPPSERIAL
PacketAnalyzer::ANALYZER_ROOT
PacketAnalyzer::ANALYZER_SKIP
PacketAnalyzer::ANALYZER_VLAN
PacketAnalyzer::ANALYZER_VNTAG

Zeek::ARP

ARP packet analyzer

Components

PacketAnalyzer::ANALYZER_ARP

Events

arp_request
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Mac_src

The request’s source MAC address.

Mac_dst

The request’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also: arp_reply, bad_arp

arp_reply
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Mac_src

The reply’s source MAC address.

Mac_dst

The reply’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also: arp_request, bad_arp

bad_arp
Type

event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

Explanation

A short description of why the ARP packet is considered “bad”.

See also: arp_reply, arp_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::Ethernet

Ethernet packet analyzer

Components

PacketAnalyzer::ANALYZER_ETHERNET

Zeek::FDDI

FDDI packet analyzer

Components

PacketAnalyzer::ANALYZER_FDDI

Zeek::GRE

GRE packet analyzer

Components

PacketAnalyzer::ANALYZER_GRE

Zeek::IEEE802_11

IEEE 802.11 packet analyzer

Components

PacketAnalyzer::ANALYZER_IEEE802_11

Zeek::IEEE802_11_Radio

IEEE 802.11 Radiotap packet analyzer

Components

PacketAnalyzer::ANALYZER_IEEE802_11_RADIO

Zeek::IP

Packet analyzer for IP fallback (v4 or v6)

Components

PacketAnalyzer::ANALYZER_IP

Zeek::IPTunnel

IPTunnel packet analyzer

Components

PacketAnalyzer::ANALYZER_IPTUNNEL

Zeek::LinuxSLL

Linux cooked capture (SLL) packet analyzer

Components

PacketAnalyzer::ANALYZER_LINUXSLL

Zeek::MPLS

MPLS packet analyzer

Components

PacketAnalyzer::ANALYZER_MPLS

Zeek::NFLog

NFLog packet analyzer

Components

PacketAnalyzer::ANALYZER_NFLOG

Zeek::Null

Null packet analyzer

Components

PacketAnalyzer::ANALYZER_NULL

Zeek::PPPoE

PPPoE packet analyzer

Components

PacketAnalyzer::ANALYZER_PPPOE

Zeek::PPPSerial

PPPSerial packet analyzer

Components

PacketAnalyzer::ANALYZER_PPPSERIAL

Zeek::Root

Root packet analyzer

Components

PacketAnalyzer::ANALYZER_ROOT

Zeek::Skip

Skip packet analyzer

Components

PacketAnalyzer::ANALYZER_SKIP

Zeek::VLAN

VLAN packet analyzer

Components

PacketAnalyzer::ANALYZER_VLAN

Zeek::VNTag

VNTag packet analyzer

Components

PacketAnalyzer::ANALYZER_VNTAG