Packet Analyzers

PacketAnalyzer::Tag
Type

enum

PacketAnalyzer::ANALYZER_ARP
PacketAnalyzer::ANALYZER_AYIYA
PacketAnalyzer::ANALYZER_ETHERNET
PacketAnalyzer::ANALYZER_FDDI
PacketAnalyzer::ANALYZER_GENEVE
PacketAnalyzer::ANALYZER_GRE
PacketAnalyzer::ANALYZER_GTPV1
PacketAnalyzer::ANALYZER_ICMP
PacketAnalyzer::ANALYZER_IEEE802_11
PacketAnalyzer::ANALYZER_IEEE802_11_RADIO
PacketAnalyzer::ANALYZER_IP
PacketAnalyzer::ANALYZER_IPTUNNEL
PacketAnalyzer::ANALYZER_LINUXSLL
PacketAnalyzer::ANALYZER_MPLS
PacketAnalyzer::ANALYZER_NFLOG
PacketAnalyzer::ANALYZER_NULL
PacketAnalyzer::ANALYZER_PPPOE
PacketAnalyzer::ANALYZER_PPPSERIAL
PacketAnalyzer::ANALYZER_ROOT
PacketAnalyzer::ANALYZER_SKIP
PacketAnalyzer::ANALYZER_TCP
PacketAnalyzer::ANALYZER_TEREDO
PacketAnalyzer::ANALYZER_UDP
PacketAnalyzer::ANALYZER_VLAN
PacketAnalyzer::ANALYZER_VNTAG
PacketAnalyzer::ANALYZER_VXLAN

Zeek::ARP

ARP packet analyzer

Events

arp_request
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Mac_src

The request’s source MAC address.

Mac_dst

The request’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also: arp_reply, bad_arp

arp_reply
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Mac_src

The reply’s source MAC address.

Mac_dst

The reply’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also: arp_request, bad_arp

bad_arp
Type

event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

Explanation

A short description of why the ARP packet is considered “bad”.

See also: arp_reply, arp_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::AYIYA

AYIYA packet analyzer

Zeek::Ethernet

Ethernet packet analyzer

Zeek::FDDI

FDDI packet analyzer

Zeek::Geneve

Geneve packet analyzer

Events

geneve_packet
Type

event (outer: connection, inner: pkt_hdr, vni: count)

Generated for any packet encapsulated in a Geneve tunnel. See RFC 8926 for more information about the Geneve protocol.

Outer

The Geneve tunnel connection.

Inner

The Geneve-encapsulated Ethernet packet header and transport header.

Vni

Geneve Network Identifier.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

Zeek::GRE

GRE packet analyzer

Zeek::GTPv1

GTPv1 analyzer

Events

gtpv1_message
Type

event (c: connection, hdr: gtpv1_hdr)

Generated for any GTP message with a GTPv1 header.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

gtpv1_g_pdu_packet
Type

event (outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr)

Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.

Outer

The GTP outer tunnel connection.

Inner_gtp

The GTP header.

Inner_ip

The inner IP and transport layer packet headers.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

gtpv1_create_pdp_ctx_request
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements)

Generated for GTPv1-C Create PDP Context Request messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_create_pdp_ctx_response
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements)

Generated for GTPv1-C Create PDP Context Response messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_update_pdp_ctx_request
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements)

Generated for GTPv1-C Update PDP Context Request messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_update_pdp_ctx_response
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements)

Generated for GTPv1-C Update PDP Context Response messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_request
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements)

Generated for GTPv1-C Delete PDP Context Request messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_response
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements)

Generated for GTPv1-C Delete PDP Context Response messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

Functions

PacketAnalyzer::GTPV1::remove_gtpv1_connection
Type

function (cid: conn_id) : bool

Zeek::IEEE802_11

IEEE 802.11 packet analyzer

Zeek::IEEE802_11_Radio

IEEE 802.11 Radiotap packet analyzer

Zeek::IP

Packet analyzer for IP fallback (v4 or v6)

Zeek::IPTunnel

IPTunnel packet analyzer

Zeek::LinuxSLL

Linux cooked capture (SLL) packet analyzer

Zeek::MPLS

MPLS packet analyzer

Zeek::NFLog

NFLog packet analyzer

Zeek::Null

Null packet analyzer

Zeek::PPPoE

PPPoE packet analyzer

Zeek::PPPSerial

PPPSerial packet analyzer

Zeek::Root

Root packet analyzer

Zeek::Skip

Skip packet analyzer

Zeek::Teredo

Teredo packet analyzer

Events

teredo_packet
Type

event (outer: connection, inner: teredo_hdr)

Generated for any IPv6 packet encapsulated in a Teredo tunnel. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also: teredo_authentication, teredo_origin_indication, teredo_bubble

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_authentication
Type

event (outer: connection, inner: teredo_hdr)

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo authentication encapsulation method. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also: teredo_packet, teredo_origin_indication, teredo_bubble

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_origin_indication
Type

event (outer: connection, inner: teredo_hdr)

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo origin indication encapsulation method. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also: teredo_packet, teredo_authentication, teredo_bubble

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_bubble
Type

event (outer: connection, inner: teredo_hdr)

Generated for Teredo bubble packets. That is, IPv6 packets encapsulated in a Teredo tunnel that have a Next Header value of IPPROTO_NONE. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also: teredo_packet, teredo_authentication, teredo_origin_indication

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

Functions

PacketAnalyzer::TEREDO::remove_teredo_connection
Type

function (cid: conn_id) : bool

Zeek::VLAN

VLAN packet analyzer

Zeek::VNTag

VNTag packet analyzer

Zeek::VXLAN

VXLAN packet analyzer

Events

vxlan_packet
Type

event (outer: connection, inner: pkt_hdr, vni: count)

Generated for any packet encapsulated in a VXLAN tunnel. See RFC 7348 for more information about the VXLAN protocol.

Outer

The VXLAN tunnel connection.

Inner

The VXLAN-encapsulated Ethernet packet header and transport header.

Vni

VXLAN Network Identifier.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.