Packet Analyzers¶
- PacketAnalyzer::Tag¶
- Type
-
- PacketAnalyzer::ANALYZER_ARP¶
- PacketAnalyzer::ANALYZER_AYIYA¶
- PacketAnalyzer::ANALYZER_ETHERNET¶
- PacketAnalyzer::ANALYZER_FDDI¶
- PacketAnalyzer::ANALYZER_GENEVE¶
- PacketAnalyzer::ANALYZER_GRE¶
- PacketAnalyzer::ANALYZER_GTPV1¶
- PacketAnalyzer::ANALYZER_ICMP¶
- PacketAnalyzer::ANALYZER_IEEE802_11¶
- PacketAnalyzer::ANALYZER_IEEE802_11_RADIO¶
- PacketAnalyzer::ANALYZER_IP¶
- PacketAnalyzer::ANALYZER_IPTUNNEL¶
- PacketAnalyzer::ANALYZER_LINUXSLL¶
- PacketAnalyzer::ANALYZER_LINUXSLL2¶
- PacketAnalyzer::ANALYZER_MPLS¶
- PacketAnalyzer::ANALYZER_NFLOG¶
- PacketAnalyzer::ANALYZER_NULL¶
- PacketAnalyzer::ANALYZER_PBB¶
- PacketAnalyzer::ANALYZER_PPPOE¶
- PacketAnalyzer::ANALYZER_PPPSERIAL¶
- PacketAnalyzer::ANALYZER_ROOT¶
- PacketAnalyzer::ANALYZER_SKIP¶
- PacketAnalyzer::ANALYZER_TCP¶
- PacketAnalyzer::ANALYZER_TEREDO¶
- PacketAnalyzer::ANALYZER_UDP¶
- PacketAnalyzer::ANALYZER_VLAN¶
- PacketAnalyzer::ANALYZER_VNTAG¶
- PacketAnalyzer::ANALYZER_VXLAN¶
Zeek::ARP¶
ARP packet analyzer
Components¶
Events¶
- arp_request¶
-
Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
- Mac_src
The request’s source MAC address.
- Mac_dst
The request’s destination MAC address.
- SPA
The sender protocol address.
- SHA
The sender hardware address.
- TPA
The target protocol address.
- THA
The target hardware address.
- arp_reply¶
-
Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
- Mac_src
The reply’s source MAC address.
- Mac_dst
The reply’s destination MAC address.
- SPA
The sender protocol address.
- SHA
The sender hardware address.
- TPA
The target protocol address.
- THA
The target hardware address.
See also:
arp_request
,bad_arp
- bad_arp¶
-
Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
- SPA
The sender protocol address.
- SHA
The sender hardware address.
- TPA
The target protocol address.
- THA
The target hardware address.
- Explanation
A short description of why the ARP packet is considered “bad”.
See also:
arp_reply
,arp_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::AYIYA¶
AYIYA packet analyzer
Components¶
Zeek::Ethernet¶
Ethernet packet analyzer
Components¶
Zeek::FDDI¶
FDDI packet analyzer
Components¶
Zeek::Geneve¶
Geneve packet analyzer
Components¶
Events¶
- geneve_packet¶
- Type
event
(outer:connection
, inner:pkt_hdr
, vni:count
)
Generated for any packet encapsulated in a Geneve tunnel. See RFC 8926 for more information about the Geneve protocol.
- Outer
The Geneve tunnel connection.
- Inner
The Geneve-encapsulated Ethernet packet header and transport header.
- Vni
Geneve Network Identifier.
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
Zeek::GRE¶
GRE packet analyzer
Components¶
Zeek::GTPv1¶
GTPv1 analyzer
Components¶
Events¶
- gtpv1_message¶
- Type
event
(c:connection
, hdr:gtpv1_hdr
)
Generated for any GTP message with a GTPv1 header.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- gtpv1_g_pdu_packet¶
- Type
event
(outer:connection
, inner_gtp:gtpv1_hdr
, inner_ip:pkt_hdr
)
Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.
- Outer
The GTP outer tunnel connection.
- Inner_gtp
The GTP header.
- Inner_ip
The inner IP and transport layer packet headers.
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
- gtpv1_create_pdp_ctx_request¶
- Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_create_pdp_ctx_request_elements
)
Generated for GTPv1-C Create PDP Context Request messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
- gtpv1_create_pdp_ctx_response¶
- Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_create_pdp_ctx_response_elements
)
Generated for GTPv1-C Create PDP Context Response messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
- gtpv1_update_pdp_ctx_request¶
- Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_update_pdp_ctx_request_elements
)
Generated for GTPv1-C Update PDP Context Request messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
- gtpv1_update_pdp_ctx_response¶
- Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_update_pdp_ctx_response_elements
)
Generated for GTPv1-C Update PDP Context Response messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
- gtpv1_delete_pdp_ctx_request¶
- Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_delete_pdp_ctx_request_elements
)
Generated for GTPv1-C Delete PDP Context Request messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
- gtpv1_delete_pdp_ctx_response¶
- Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_delete_pdp_ctx_response_elements
)
Generated for GTPv1-C Delete PDP Context Response messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
Functions¶
Zeek::IEEE802_11¶
IEEE 802.11 packet analyzer
Components¶
Zeek::IEEE802_11_Radio¶
IEEE 802.11 Radiotap packet analyzer
Components¶
Zeek::IP¶
Packet analyzer for IP fallback (v4 or v6)
Components¶
Zeek::IPTunnel¶
IPTunnel packet analyzer
Components¶
Zeek::LinuxSLL¶
Linux cooked capture (SLL) packet analyzer
Components¶
Zeek::LinuxSLL2¶
Linux cooked capture version 2 (SLL2) packet analyzer
Components¶
Zeek::MPLS¶
MPLS packet analyzer
Components¶
Zeek::NFLog¶
NFLog packet analyzer
Components¶
Zeek::Null¶
Null packet analyzer
Components¶
Zeek::PBB¶
PBB packet analyzer
Components¶
Zeek::PPPoE¶
PPPoE packet analyzer
Components¶
Zeek::PPPSerial¶
PPPSerial packet analyzer
Components¶
Zeek::Root¶
Root packet analyzer
Components¶
Zeek::Skip¶
Skip packet analyzer
Components¶
Zeek::Teredo¶
Teredo packet analyzer
Components¶
Events¶
- teredo_packet¶
- Type
event
(outer:connection
, inner:teredo_hdr
)
Generated for any IPv6 packet encapsulated in a Teredo tunnel. See RFC 4380 for more information about the Teredo protocol.
- Outer
The Teredo tunnel connection.
- Inner
The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_authentication
,teredo_origin_indication
,teredo_bubble
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
- teredo_authentication¶
- Type
event
(outer:connection
, inner:teredo_hdr
)
Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo authentication encapsulation method. See RFC 4380 for more information about the Teredo protocol.
- Outer
The Teredo tunnel connection.
- Inner
The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_packet
,teredo_origin_indication
,teredo_bubble
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
- teredo_origin_indication¶
- Type
event
(outer:connection
, inner:teredo_hdr
)
Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo origin indication encapsulation method. See RFC 4380 for more information about the Teredo protocol.
- Outer
The Teredo tunnel connection.
- Inner
The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_packet
,teredo_authentication
,teredo_bubble
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
- teredo_bubble¶
- Type
event
(outer:connection
, inner:teredo_hdr
)
Generated for Teredo bubble packets. That is, IPv6 packets encapsulated in a Teredo tunnel that have a Next Header value of
IPPROTO_NONE
. See RFC 4380 for more information about the Teredo protocol.- Outer
The Teredo tunnel connection.
- Inner
The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_packet
,teredo_authentication
,teredo_origin_indication
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
Functions¶
Zeek::VLAN¶
VLAN packet analyzer
Components¶
Zeek::VNTag¶
VNTag packet analyzer
Components¶
Zeek::VXLAN¶
VXLAN packet analyzer
Components¶
Events¶
- vxlan_packet¶
- Type
event
(outer:connection
, inner:pkt_hdr
, vni:count
)
Generated for any packet encapsulated in a VXLAN tunnel. See RFC 7348 for more information about the VXLAN protocol.
- Outer
The VXLAN tunnel connection.
- Inner
The VXLAN-encapsulated Ethernet packet header and transport header.
- Vni
VXLAN Network Identifier.
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.