Packet Analyzers
- PacketAnalyzer::Tag
- Type
-
- PacketAnalyzer::ANALYZER_ARP
- PacketAnalyzer::ANALYZER_AYIYA
- PacketAnalyzer::ANALYZER_ETHERNET
- PacketAnalyzer::ANALYZER_FDDI
- PacketAnalyzer::ANALYZER_GENEVE
- PacketAnalyzer::ANALYZER_GRE
- PacketAnalyzer::ANALYZER_GTPV1
- PacketAnalyzer::ANALYZER_ICMP
- PacketAnalyzer::ANALYZER_IEEE802_11
- PacketAnalyzer::ANALYZER_IEEE802_11_RADIO
- PacketAnalyzer::ANALYZER_IP
- PacketAnalyzer::ANALYZER_IPTUNNEL
- PacketAnalyzer::ANALYZER_LINUXSLL
- PacketAnalyzer::ANALYZER_LINUXSLL2
- PacketAnalyzer::ANALYZER_LLC
- PacketAnalyzer::ANALYZER_MPLS
- PacketAnalyzer::ANALYZER_NFLOG
- PacketAnalyzer::ANALYZER_NOVELL_802_3
- PacketAnalyzer::ANALYZER_NULL
- PacketAnalyzer::ANALYZER_PBB
- PacketAnalyzer::ANALYZER_PPP
- PacketAnalyzer::ANALYZER_PPPOE
- PacketAnalyzer::ANALYZER_PPPSERIAL
- PacketAnalyzer::ANALYZER_ROOT
- PacketAnalyzer::ANALYZER_SKIP
- PacketAnalyzer::ANALYZER_SNAP
- PacketAnalyzer::ANALYZER_TCP
- PacketAnalyzer::ANALYZER_TEREDO
- PacketAnalyzer::ANALYZER_UDP
- PacketAnalyzer::ANALYZER_VLAN
- PacketAnalyzer::ANALYZER_VNTAG
- PacketAnalyzer::ANALYZER_VXLAN
Zeek::ARP
ARP packet analyzer
Components
Events
- arp_request
-
Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
- Parameters
mac_src – The request’s source MAC address.
mac_dst – The request’s destination MAC address.
SPA – The sender protocol address.
SHA – The sender hardware address.
TPA – The target protocol address.
THA – The target hardware address.
- arp_reply
-
Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
- Parameters
mac_src – The reply’s source MAC address.
mac_dst – The reply’s destination MAC address.
SPA – The sender protocol address.
SHA – The sender hardware address.
TPA – The target protocol address.
THA – The target hardware address.
See also:
arp_request,bad_arp
- bad_arp
-
Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
- Parameters
SPA – The sender protocol address.
SHA – The sender hardware address.
TPA – The target protocol address.
THA – The target hardware address.
explanation – A short description of why the ARP packet is considered “bad”.
See also:
arp_reply,arp_requestTodo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::AYIYA
AYIYA packet analyzer
Components
Zeek::Ethernet
Ethernet packet analyzer
Components
Zeek::FDDI
FDDI packet analyzer
Components
Zeek::Geneve
Geneve packet analyzer
Components
Events
- geneve_packet
- Type
event(outer:connection, inner:pkt_hdr, vni:count)
Generated for any packet encapsulated in a Geneve tunnel. See RFC 8926 for more information about the Geneve protocol.
- Parameters
outer – The Geneve tunnel connection.
inner – The Geneve-encapsulated Ethernet packet header and transport header.
vni – Geneve Network Identifier.
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
Zeek::GRE
GRE packet analyzer
Components
Zeek::GTPv1
GTPv1 analyzer
Components
Events
- gtpv1_message
- Type
event(c:connection, hdr:gtpv1_hdr)
Generated for any GTP message with a GTPv1 header.
- Parameters
c – The connection over which the message is sent.
hdr – The GTPv1 header.
- gtpv1_g_pdu_packet
- Type
event(outer:connection, inner_gtp:gtpv1_hdr, inner_ip:pkt_hdr)
Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.
- Parameters
outer – The GTP outer tunnel connection.
inner_gtp – The GTP header.
inner_ip – The inner IP and transport layer packet headers.
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
- gtpv1_create_pdp_ctx_request
- Type
event(c:connection, hdr:gtpv1_hdr, elements:gtp_create_pdp_ctx_request_elements)
Generated for GTPv1-C Create PDP Context Request messages.
- Parameters
c – The connection over which the message is sent.
hdr – The GTPv1 header.
elements – The set of Information Elements comprising the message.
- gtpv1_create_pdp_ctx_response
- Type
event(c:connection, hdr:gtpv1_hdr, elements:gtp_create_pdp_ctx_response_elements)
Generated for GTPv1-C Create PDP Context Response messages.
- Parameters
c – The connection over which the message is sent.
hdr – The GTPv1 header.
elements – The set of Information Elements comprising the message.
- gtpv1_update_pdp_ctx_request
- Type
event(c:connection, hdr:gtpv1_hdr, elements:gtp_update_pdp_ctx_request_elements)
Generated for GTPv1-C Update PDP Context Request messages.
- Parameters
c – The connection over which the message is sent.
hdr – The GTPv1 header.
elements – The set of Information Elements comprising the message.
- gtpv1_update_pdp_ctx_response
- Type
event(c:connection, hdr:gtpv1_hdr, elements:gtp_update_pdp_ctx_response_elements)
Generated for GTPv1-C Update PDP Context Response messages.
- Parameters
c – The connection over which the message is sent.
hdr – The GTPv1 header.
elements – The set of Information Elements comprising the message.
- gtpv1_delete_pdp_ctx_request
- Type
event(c:connection, hdr:gtpv1_hdr, elements:gtp_delete_pdp_ctx_request_elements)
Generated for GTPv1-C Delete PDP Context Request messages.
- Parameters
c – The connection over which the message is sent.
hdr – The GTPv1 header.
elements – The set of Information Elements comprising the message.
- gtpv1_delete_pdp_ctx_response
- Type
event(c:connection, hdr:gtpv1_hdr, elements:gtp_delete_pdp_ctx_response_elements)
Generated for GTPv1-C Delete PDP Context Response messages.
- Parameters
c – The connection over which the message is sent.
hdr – The GTPv1 header.
elements – The set of Information Elements comprising the message.
Functions
Zeek::IEEE802_11
IEEE 802.11 packet analyzer
Components
Zeek::IEEE802_11_Radio
IEEE 802.11 Radiotap packet analyzer
Components
Zeek::IP
Packet analyzer for IP fallback (v4 or v6)
Components
Zeek::IPTunnel
IPTunnel packet analyzer
Components
Zeek::LinuxSLL
Linux cooked capture (SLL) packet analyzer
Components
Zeek::LinuxSLL2
Linux cooked capture version 2 (SLL2) packet analyzer
Components
Zeek::LLC
LLC packet analyzer
Components
Zeek::MPLS
MPLS packet analyzer
Components
Zeek::NFLog
NFLog packet analyzer
Components
Zeek::NOVELL_802_3
Novell 802.3 variantx packet analyzer
Components
Zeek::Null
Null packet analyzer
Components
Zeek::PBB
PBB packet analyzer
Components
Zeek::PPP
PPP packet analyzer
Components
Zeek::PPPoE
PPPoE packet analyzer
Components
Zeek::PPPSerial
PPPSerial packet analyzer
Components
Zeek::Root
Root packet analyzer
Components
Zeek::Skip
Skip packet analyzer
Components
Zeek::SNAP
SNAP packet analyzer
Components
Zeek::Teredo
Teredo packet analyzer
Components
Events
- teredo_packet
- Type
event(outer:connection, inner:teredo_hdr)
Generated for any IPv6 packet encapsulated in a Teredo tunnel. See RFC 4380 for more information about the Teredo protocol.
- Parameters
outer – The Teredo tunnel connection.
inner – The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_authentication,teredo_origin_indication,teredo_bubbleNote
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
- teredo_authentication
- Type
event(outer:connection, inner:teredo_hdr)
Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo authentication encapsulation method. See RFC 4380 for more information about the Teredo protocol.
- Parameters
outer – The Teredo tunnel connection.
inner – The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_packet,teredo_origin_indication,teredo_bubbleNote
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
- teredo_origin_indication
- Type
event(outer:connection, inner:teredo_hdr)
Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo origin indication encapsulation method. See RFC 4380 for more information about the Teredo protocol.
- Parameters
outer – The Teredo tunnel connection.
inner – The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_packet,teredo_authentication,teredo_bubbleNote
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
- teredo_bubble
- Type
event(outer:connection, inner:teredo_hdr)
Generated for Teredo bubble packets. That is, IPv6 packets encapsulated in a Teredo tunnel that have a Next Header value of
IPPROTO_NONE. See RFC 4380 for more information about the Teredo protocol.- Parameters
outer – The Teredo tunnel connection.
inner – The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_packet,teredo_authentication,teredo_origin_indicationNote
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
Functions
Zeek::VLAN
VLAN packet analyzer
Components
Zeek::VNTag
VNTag packet analyzer
Components
Zeek::VXLAN
VXLAN packet analyzer
Components
Events
- vxlan_packet
- Type
event(outer:connection, inner:pkt_hdr, vni:count)
Generated for any packet encapsulated in a VXLAN tunnel. See RFC 7348 for more information about the VXLAN protocol.
- Parameters
outer – The VXLAN tunnel connection.
inner – The VXLAN-encapsulated Ethernet packet header and transport header.
vni – VXLAN Network Identifier.
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.