base/bif/plugins/Zeek_ICMP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

icmp_echo_reply: event

Generated for ICMP echo reply messages.

icmp_echo_request: event

Generated for ICMP echo request messages.

icmp_error_message: event

Generated for all ICMPv6 error messages that are not handled separately with dedicated events.

icmp_neighbor_advertisement: event

Generated for ICMP neighbor advertisement messages.

icmp_neighbor_solicitation: event

Generated for ICMP neighbor solicitation messages.

icmp_packet_too_big: event

Generated for ICMPv6 packet too big messages.

icmp_parameter_problem: event

Generated for ICMPv6 parameter problem messages.

icmp_redirect: event

Generated for ICMP redirect messages.

icmp_router_advertisement: event

Generated for ICMP router advertisement messages.

icmp_router_solicitation: event

Generated for ICMP router solicitation messages.

icmp_sent: event

Generated for all ICMP messages that are not handled separately with dedicated ICMP events.

icmp_sent_payload: event

The same as icmp_sent except containing the ICMP payload.

icmp_time_exceeded: event

Generated for ICMP time exceeded messages.

icmp_unreachable: event

Generated for ICMP destination unreachable messages.

Detailed Interface

Events

icmp_echo_reply
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, id: count, seq: count, payload: string)

Type

event (c: connection, info: icmp_info, id: count, seq: count, payload: string)

Type

event (c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)

Generated for ICMP echo reply messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Id

The echo reply identifier.

Seq

The echo reply sequence number.

Payload

The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.

See also: icmp_echo_request

icmp_echo_request
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, id: count, seq: count, payload: string)

Type

event (c: connection, info: icmp_info, id: count, seq: count, payload: string)

Type

event (c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)

Generated for ICMP echo request messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Id

The echo request identifier.

Seq

The echo request sequence number.

Payload

The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.

See also: icmp_echo_reply

icmp_error_message
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for all ICMPv6 error messages that are not handled separately with dedicated events. Zeek’s ICMP analyzer handles a number of ICMP error messages directly with dedicated events. This event acts as a fallback for those it doesn’t.

See Wikipedia for more information about the ICMPv6 protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the error message.

Context

A record with specifics of the original packet that the message refers to.

See also: icmp_unreachable, icmp_packet_too_big, icmp_time_exceeded, icmp_parameter_problem

icmp_neighbor_advertisement
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)

Type

event (c: connection, info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)

Type

event (c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)

Generated for ICMP neighbor advertisement messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Router

Flag indicating the sender is a router.

Solicited

Flag indicating advertisement is in response to a solicitation.

Override

Flag indicating advertisement should override existing caches.

Tgt

the Target Address in the soliciting message or the address whose link-layer address has changed for unsolicited adverts.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_solicitation, icmp_redirect

icmp_neighbor_solicitation
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, tgt: addr, options: icmp6_nd_options)

Type

event (c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options)

Type

event (c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options)

Generated for ICMP neighbor solicitation messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Tgt

The IP address of the target of the solicitation.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_advertisement, icmp_redirect

icmp_packet_too_big
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for ICMPv6 packet too big messages.

See Wikipedia for more information about the ICMPv6 protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the too big message.

Context

A record with specifics of the original packet that the message refers to. Too big messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the too big includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_unreachable, icmp_time_exceeded, icmp_parameter_problem

icmp_parameter_problem
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for ICMPv6 parameter problem messages.

See Wikipedia for more information about the ICMPv6 protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the parameter problem message.

Context

A record with specifics of the original packet that the message refers to. Parameter problem messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the parameter problem includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_unreachable, icmp_packet_too_big, icmp_time_exceeded

icmp_redirect
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options)

Type

event (c: connection, info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options)

Type

event (c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options)

Generated for ICMP redirect messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Tgt

The address that is supposed to be a better first hop to use for ICMP Destination Address.

Dest

The address of the destination which is redirected to the target.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_solicitation, icmp_neighbor_advertisement

icmp_router_advertisement
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)

Type

event (c: connection, info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)

Type

event (c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)

Generated for ICMP router advertisement messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Cur_hop_limit

The default value that should be placed in Hop Count field for outgoing IP packets.

Managed

Managed address configuration flag, RFC 4861.

Other

Other stateful configuration flag, RFC 4861.

Home_agent

Mobile IPv6 home agent flag, RFC 3775.

Pref

Router selection preferences, RFC 4191.

Proxy

Neighbor discovery proxy flag, RFC 4389.

Rsv

Remaining two reserved bits of router advertisement flags.

Router_lifetime

How long this router should be used as a default router.

Reachable_time

How long a neighbor should be considered reachable.

Retrans_timer

How long a host should wait before retransmitting.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_neighbor_solicitation, icmp_neighbor_advertisement, icmp_redirect

icmp_router_solicitation
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, options: icmp6_nd_options)

Type

event (c: connection, info: icmp_info, options: icmp6_nd_options)

Type

event (c: connection, icmp: icmp_conn, options: icmp6_nd_options)

Generated for ICMP router solicitation messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_advertisement, icmp_neighbor_solicitation, icmp_neighbor_advertisement, icmp_redirect

icmp_sent
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info)

Type

event (c: connection, info: icmp_info)

Type

event (c: connection, icmp: icmp_conn)

Generated for all ICMP messages that are not handled separately with dedicated ICMP events. Zeek’s ICMP analyzer handles a number of ICMP messages directly with dedicated events. This event acts as a fallback for those it doesn’t.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

See also: icmp_error_message, icmp_sent_payload

icmp_sent_payload
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, payload: string)

Type

event (c: connection, info: icmp_info, payload: string)

Type

event (c: connection, icmp: icmp_conn, payload: string)

The same as icmp_sent except containing the ICMP payload.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Payload

The payload of the ICMP message.

See also: icmp_error_message, icmp_sent_payload

icmp_time_exceeded
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for ICMP time exceeded messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the exceeded message.

Context

A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the exceeded includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_unreachable, icmp_packet_too_big, icmp_parameter_problem

icmp_unreachable
Type

event (c: connection, icmp: icmp_conn &deprecated = "Remove in v4.1", info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Type

event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for ICMP destination unreachable messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the unreachable message.

Context

A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the unreachable includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_packet_too_big, icmp_time_exceeded, icmp_parameter_problem