base/bif/plugins/Zeek_ARP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

arp_reply: event

Generated for ARP replies.

arp_request: event

Generated for ARP requests.

bad_arp: event

Generated for ARP packets that Zeek cannot interpret.

Detailed Interface

Events

arp_reply
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Parameters
  • mac_src – The reply’s source MAC address.

  • mac_dst – The reply’s destination MAC address.

  • SPA – The sender protocol address.

  • SHA – The sender hardware address.

  • TPA – The target protocol address.

  • THA – The target hardware address.

See also: arp_request, bad_arp

arp_request
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Parameters
  • mac_src – The request’s source MAC address.

  • mac_dst – The request’s destination MAC address.

  • SPA – The sender protocol address.

  • SHA – The sender hardware address.

  • TPA – The target protocol address.

  • THA – The target hardware address.

See also: arp_reply, bad_arp

bad_arp
Type

event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

Parameters
  • SPA – The sender protocol address.

  • SHA – The sender hardware address.

  • TPA – The target protocol address.

  • THA – The target hardware address.

  • explanation – A short description of why the ARP packet is considered “bad”.

See also: arp_reply, arp_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.