base/bif/plugins/Zeek_ARP.events.bif.zeek

GLOBAL

Namespace:GLOBAL

Summary

Events

arp_reply: event	Generated for ARP replies.
arp_request: event	Generated for ARP requests.
bad_arp: event	Generated for ARP packets that Zeek cannot interpret.

Detailed Interface

Events

arp_reply

Type:event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Mac_src:The reply’s source MAC address. Mac_dst:The reply’s destination MAC address. SPA:The sender protocol address. SHA:The sender hardware address. TPA:The target protocol address. THA:The target hardware address.

See also: arp_request, bad_arp

arp_request

Type:event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Mac_src:The request’s source MAC address. Mac_dst:The request’s destination MAC address. SPA:The sender protocol address. SHA:The sender hardware address. TPA:The target protocol address. THA:The target hardware address.

See also: arp_reply, bad_arp

bad_arp

Type:event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

SPA:The sender protocol address. SHA:The sender hardware address. TPA:The target protocol address. THA:The target hardware address. Explanation:A short description of why the ARP packet is considered “bad”.

See also: arp_reply, arp_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.