Packet Analyzers

PacketAnalyzer::Tag
Type:

enum

PacketAnalyzer::ANALYZER_ARP
PacketAnalyzer::ANALYZER_ETHERNET
PacketAnalyzer::ANALYZER_FDDI
PacketAnalyzer::ANALYZER_GRE
PacketAnalyzer::ANALYZER_IEEE802_11
PacketAnalyzer::ANALYZER_IEEE802_11_RADIO
PacketAnalyzer::ANALYZER_IP
PacketAnalyzer::ANALYZER_IPTUNNEL
PacketAnalyzer::ANALYZER_LINUXSLL
PacketAnalyzer::ANALYZER_MPLS
PacketAnalyzer::ANALYZER_NFLOG
PacketAnalyzer::ANALYZER_NULL
PacketAnalyzer::ANALYZER_PPPOE
PacketAnalyzer::ANALYZER_PPPSERIAL
PacketAnalyzer::ANALYZER_ROOT
PacketAnalyzer::ANALYZER_SKIP
PacketAnalyzer::ANALYZER_VLAN

Zeek::ARP

ARP packet analyzer

Events

arp_request
Type:event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Mac_src:The request’s source MAC address.
Mac_dst:The request’s destination MAC address.
SPA:The sender protocol address.
SHA:The sender hardware address.
TPA:The target protocol address.
THA:The target hardware address.

See also: arp_reply, bad_arp

arp_reply
Type:event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Mac_src:The reply’s source MAC address.
Mac_dst:The reply’s destination MAC address.
SPA:The sender protocol address.
SHA:The sender hardware address.
TPA:The target protocol address.
THA:The target hardware address.

See also: arp_request, bad_arp

bad_arp
Type:event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

SPA:The sender protocol address.
SHA:The sender hardware address.
TPA:The target protocol address.
THA:The target hardware address.
Explanation:A short description of why the ARP packet is considered “bad”.

See also: arp_reply, arp_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::Ethernet

Ethernet packet analyzer

Zeek::FDDI

FDDI packet analyzer

Zeek::GRE

GRE packet analyzer

Zeek::IEEE802_11

IEEE 802.11 packet analyzer

Zeek::IEEE802_11_Radio

IEEE 802.11 Radiotap packet analyzer

Zeek::IP

Packet analyzer for IP fallback (v4 or v6)

Zeek::IPTunnel

IPTunnel packet analyzer

Zeek::LinuxSLL

Linux cooked capture (SLL) packet analyzer

Zeek::MPLS

MPLS packet analyzer

Zeek::NFLog

NFLog packet analyzer

Zeek::Null

Null packet analyzer

Zeek::PPPoE

PPPoE packet analyzer

Zeek::PPPSerial

PPPSerial packet analyzer

Zeek::Root

Root packet analyzer

Zeek::Skip

Skip packet analyzer

Zeek::VLAN

VLAN packet analyzer