base/bif/plugins/Zeek_ARP.events.bif.zeek
- GLOBAL
- Namespace
GLOBAL
Summary
Events
Generated for ARP replies. |
|
Generated for ARP requests. |
|
Generated for ARP packets that Zeek cannot interpret. |
Detailed Interface
Events
- arp_reply
-
Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
- Parameters
mac_src – The reply’s source MAC address.
mac_dst – The reply’s destination MAC address.
SPA – The sender protocol address.
SHA – The sender hardware address.
TPA – The target protocol address.
THA – The target hardware address.
See also:
arp_request
,bad_arp
- arp_request
-
Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
- Parameters
mac_src – The request’s source MAC address.
mac_dst – The request’s destination MAC address.
SPA – The sender protocol address.
SHA – The sender hardware address.
TPA – The target protocol address.
THA – The target hardware address.
- bad_arp
-
Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
- Parameters
SPA – The sender protocol address.
SHA – The sender hardware address.
TPA – The target protocol address.
THA – The target hardware address.
explanation – A short description of why the ARP packet is considered “bad”.
See also:
arp_reply
,arp_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.