base/protocols/conn/contents.zeek¶
-
Conn
¶
This script can be used to extract either the originator’s data or the
responders data or both. By default nothing is extracted, and in order
to actually extract data the c$extract_orig
and/or the
c$extract_resp
variable must be set to T
. One way to achieve this
would be to handle the connection_established
event elsewhere
and set the extract_orig
and extract_resp
options there.
However, there may be trouble with the timing due to event queue delay.
Note
This script does not work well in a cluster context unless it has a remotely mounted disk to write the content files to.
- Namespace
Conn
- Imports
Summary¶
Runtime Options¶
If this variable is set to |
|
The prefix given to files containing extracted connections as they are opened on disk. |
Redefinitions¶
|
Detailed Interface¶
Runtime Options¶
- Conn::default_extract¶
-
If this variable is set to
T
, then all contents of all connections will be extracted.
- Conn::extraction_prefix¶
-
The prefix given to files containing extracted connections as they are opened on disk.