Packet Analyzers

PacketAnalyzer::Tag
Type

enum

PacketAnalyzer::ANALYZER_ARP
PacketAnalyzer::ANALYZER_ETHERNET
PacketAnalyzer::ANALYZER_FDDI
PacketAnalyzer::ANALYZER_GRE
PacketAnalyzer::ANALYZER_ICMP
PacketAnalyzer::ANALYZER_IEEE802_11
PacketAnalyzer::ANALYZER_IEEE802_11_RADIO
PacketAnalyzer::ANALYZER_IP
PacketAnalyzer::ANALYZER_IPTUNNEL
PacketAnalyzer::ANALYZER_LINUXSLL
PacketAnalyzer::ANALYZER_MPLS
PacketAnalyzer::ANALYZER_NFLOG
PacketAnalyzer::ANALYZER_NULL
PacketAnalyzer::ANALYZER_PPPOE
PacketAnalyzer::ANALYZER_PPPSERIAL
PacketAnalyzer::ANALYZER_ROOT
PacketAnalyzer::ANALYZER_SKIP
PacketAnalyzer::ANALYZER_TCP
PacketAnalyzer::ANALYZER_UDP
PacketAnalyzer::ANALYZER_VLAN
PacketAnalyzer::ANALYZER_VNTAG

Zeek::ARP

ARP packet analyzer

Events

arp_request
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Mac_src

The request’s source MAC address.

Mac_dst

The request’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also: arp_reply, bad_arp

arp_reply
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Mac_src

The reply’s source MAC address.

Mac_dst

The reply’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also: arp_request, bad_arp

bad_arp
Type

event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

Explanation

A short description of why the ARP packet is considered “bad”.

See also: arp_reply, arp_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::Ethernet

Ethernet packet analyzer

Zeek::FDDI

FDDI packet analyzer

Zeek::GRE

GRE packet analyzer

Zeek::IEEE802_11

IEEE 802.11 packet analyzer

Zeek::IEEE802_11_Radio

IEEE 802.11 Radiotap packet analyzer

Zeek::IP

Packet analyzer for IP fallback (v4 or v6)

Zeek::IPTunnel

IPTunnel packet analyzer

Zeek::LinuxSLL

Linux cooked capture (SLL) packet analyzer

Zeek::MPLS

MPLS packet analyzer

Zeek::NFLog

NFLog packet analyzer

Zeek::Null

Null packet analyzer

Zeek::PPPoE

PPPoE packet analyzer

Zeek::PPPSerial

PPPSerial packet analyzer

Zeek::Root

Root packet analyzer

Zeek::Skip

Skip packet analyzer

Zeek::VLAN

VLAN packet analyzer

Zeek::VNTag

VNTag packet analyzer