base/protocols/quic/main.zeek
- QUIC
Implements base functionality for QUIC analysis. Generates quic.log.
- Namespace:
QUIC
- Imports:
base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/quic/consts.zeek
Summary
Runtime Options
The maximum length of the history field. |
Types
Redefinitions
|
Events
Hooks
Detailed Interface
Runtime Options
- QUIC::max_history_length
-
The maximum length of the history field.
Types
- QUIC::Info
- Type:
-
- ts:
time&log Timestamp of first QUIC packet for this entry.
- uid:
string&log Unique ID for the connection.
- id:
conn_id&log The connection’s 4-tuple of endpoint addresses/ports.
- version:
string&log QUIC version as found in the first INITIAL packet from the client. This will often be “1” or “quicv2”, but see the
QUIC::version_stringstable for details.- client_initial_dcid:
string&log&optional First Destination Connection ID used by client. This is random and unpredictable, but used for packet protection by client and server.
- client_scid:
string&log&optional Client’s Source Connection ID from the first INITIAL packet.
- server_scid:
string&log&optional Server chosen Connection ID usually from server’s first INITIAL packet. This is to be used by the client in subsequent packets.
- server_name:
string&log&optional Server name extracted from SNI extension in ClientHello packet if available.
- client_protocol:
string&log&optional First protocol extracted from ALPN extension in ClientHello packet if available.
- history:
string&log&default=""&optional QUIC history.
Letters have the following meaning with client-sent letters being capitalized:
Letter
Meaning
I
INIT packet
H
HANDSHAKE packet
Z
0RTT packet
R
RETRY packet
C
CONNECTION_CLOSE packet
S
SSL Client/Server Hello
U
Unfamiliar QUIC version
- ts:
Events
- QUIC::log_quic
- Type:
event(rec:QUIC::Info)