base/bif/plugins/Zeek_ARP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

arp_reply: event

Generated for ARP replies.

arp_request: event

Generated for ARP requests.

bad_arp: event

Generated for ARP packets that Zeek cannot interpret.

Detailed Interface

Events

arp_reply
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Mac_src

The reply’s source MAC address.

Mac_dst

The reply’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also: arp_request, bad_arp

arp_request
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Mac_src

The request’s source MAC address.

Mac_dst

The request’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also: arp_reply, bad_arp

bad_arp
Type

event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

Explanation

A short description of why the ARP packet is considered “bad”.

See also: arp_reply, arp_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.