base/init-bare.zeek

`MQTT::max_payload_size`: `count` `&redef`	The maximum payload size to allocate for the purpose of payload information in `mqtt_publish` events (and the default MQTT logs generated from that).
`Weird::sampling_duration`: `interval` `&redef`	How long a weird of a given type is allowed to keep state/counters in memory.
`Weird::sampling_global_list`: `set` `&redef`	Rate-limits weird names in the table globally instead of per connection/flow.
`Weird::sampling_rate`: `count` `&redef`	The rate-limiting sampling rate.
`Weird::sampling_threshold`: `count` `&redef`	How many weirds of a given type to tolerate before sampling begins.
`Weird::sampling_whitelist`: `set` `&redef`	Prevents rate-limiting sampling of any weirds named in the table.
`default_file_bof_buffer_size`: `count` `&redef`	Default amount of bytes that file analysis will buffer in order to use for mime type matching.
`default_file_timeout_interval`: `interval` `&redef`	Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
`ignore_checksums_nets`: `set` `&redef`	Checksums are ignored for all packets with a src address within this set of networks.
`udp_content_delivery_ports_use_resp`: `bool` `&redef`	Whether ports given in `udp_content_delivery_ports_orig` and `udp_content_delivery_ports_resp` are in terms of UDP packet’s destination port or the UDP connection’s “responder” port.
`udp_content_ports`: `set` `&redef`	Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via `udp_contents`.

Redefinable Options

`AF_Packet::block_size`: `count` `&redef`	Size of an individual block.
`AF_Packet::block_timeout`: `interval` `&redef`	Retire timeout for a single block.
`AF_Packet::buffer_size`: `count` `&redef`	Size of the ring-buffer.
`AF_Packet::checksum_validation_mode`: `AF_Packet::ChecksumMode` `&redef`	Checksum validation mode.
`AF_Packet::enable_defrag`: `bool` `&redef`	Toggle defragmentation of IP packets using PACKET_FANOUT_FLAG_DEFRAG.
`AF_Packet::enable_fanout`: `bool` `&redef`	Toggle whether to use PACKET_FANOUT.
`AF_Packet::enable_hw_timestamping`: `bool` `&redef`	Toggle whether to use hardware timestamps.
`AF_Packet::fanout_id`: `count` `&redef`	Fanout ID.
`AF_Packet::fanout_mode`: `AF_Packet::FanoutMode` `&redef`	Fanout mode.
`AF_Packet::link_type`: `count` `&redef`	Link type (default Ethernet).
`BinPAC::flowbuffer_capacity_max`: `count` `&redef`	Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.
`BinPAC::flowbuffer_capacity_min`: `count` `&redef`	The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer.
`BinPAC::flowbuffer_contract_threshold`: `count` `&redef`	The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to `BinPAC::flowbuffer_capacity_min` after parsing a full unit.
`Cluster::backend`: `Cluster::BackendTag` `&redef`	Cluster backend to use.
`Cluster::event_serializer`: `Cluster::EventSerializerTag` `&redef`	The event serializer to use by the cluster backend.
`Cluster::log_serializer`: `Cluster::LogSerializerTag` `&redef`	The log serializer to use by the backend.
`ConnKey::factory`: `ConnKey::Tag` `&redef`	The connection key factory to use for Zeek’s internal connection tracking.
`ConnThreshold::generic_packet_thresholds`: `set` `&redef`	Number of packets required to be observed on any IP-based session to trigger `conn_generic_packet_threshold_crossed`.
`DCE_RPC::max_cmd_reassembly`: `count` `&redef`	The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.
`DCE_RPC::max_frag_data`: `count` `&redef`	The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.
`EventMetadata::add_missing_remote_network_timestamp`: `bool` `&redef`	By default, remote events without network timestamp metadata will yield a negative zeek:see:current_event_time during processing.
`EventMetadata::add_network_timestamp`: `bool` `&redef`	Add network timestamp metadata to all events.
`FTP::max_command_length`: `count` `&redef`	Limits the size of commands accepted by the FTP analyzer.
`HTTP::upgrade_analyzers`: `table` `&redef`	Lookup table for Upgrade analyzers.
`IP::protocol_names`: `table` `&redef` `&default` = `function`	Mapping from IP protocol identifier values to string names.
`KRB::keytab`: `string` `&redef`	Kerberos keytab file name.
`Log::default_max_field_container_elements`: `count` `&redef`	The maximum number of elements a single container field can contain when logging.
`Log::default_max_field_string_bytes`: `count` `&redef`	The maximum number of bytes that a single string field can contain when logging.
`Log::default_max_total_container_elements`: `count` `&redef`	The maximum total number of container elements a record may log.
`Log::default_max_total_string_bytes`: `count` `&redef`	The maximum total bytes a record may log for string fields.
`Log::flush_interval`: `interval` `&redef`	Default interval for flushing the write buffers of all enabled log streams.
`Log::max_log_record_size`: `count` `&redef`	Maximum size of a message that can be sent to a remote logger or logged locally.
`Log::write_buffer_size`: `count` `&redef`	Default maximum size of the log write buffer per filter/path pair.
`MIME::max_depth`: `count` `&redef`	Stop analysis of nested multipart MIME entities if this depth is reached.
`NCP::max_frame_size`: `count` `&redef`	The maximum number of bytes to allocate when parsing NCP frames.
`NFS3::return_data`: `bool` `&redef`	If true, `nfs_proc_read` and `nfs_proc_write` events return the file data that has been read/written.
`NFS3::return_data_first_only`: `bool` `&redef`	If `NFS3::return_data` is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.
`NFS3::return_data_max`: `count` `&redef`	If `NFS3::return_data` is true, how much data should be returned at most.
`POP3::max_pending_commands`: `count` `&redef`	How many commands a POP3 client may have pending before Zeek forcefully removes the oldest.
`POP3::max_unknown_client_commands`: `count` `&redef`	How many invalid commands a POP3 client may use before Zeek starts raising analyzer violations.
`Pcap::bufsize`: `count` `&redef`	Number of Mbytes to provide as buffer space when capturing from live interfaces.
`Pcap::bufsize_offline_bytes`: `count` `&redef`	Number of bytes to use for buffering file read operations when reading from a PCAP file.
`Pcap::non_fd_timeout`: `interval` `&redef`	Default timeout for packet sources without file descriptors.
`Pcap::snaplen`: `count` `&redef`	Number of bytes per packet to capture from live interfaces.
`Reporter::errors_to_stderr`: `bool` `&redef`	Tunable for sending reporter error messages to STDERR.
`Reporter::info_to_stderr`: `bool` `&redef`	Tunable for sending reporter info messages to STDERR.
`Reporter::warnings_to_stderr`: `bool` `&redef`	Tunable for sending reporter warning messages to STDERR.
`SMB::max_dce_rpc_analyzers`: `count` `&redef`	Maximum number of DCE-RPC analyzers per connection before discarding them to avoid unbounded state growth.
`SMB::max_pending_messages`: `count` `&redef`	The maximum number of messages for which to retain state about offsets, fids, or tree ids within the parser.
`SMB::pipe_filenames`: `set` `&redef`	A set of file names used as named pipes over SMB.
`SMTP::bdat_max_line_length`: `count` `&redef`	The maximum line length within a BDAT chunk before a forceful linebreak is introduced and a weird is raised.
`SMTP::enable_rfc822_msg_file_analysis`: `bool` `&redef`	Whether to send data of individual top-level RFC822 messages in SMTP transactions to the file analysis framework.
`SSL::dtls_max_reported_version_errors`: `count` `&redef`	Maximum number of invalid version errors to report in one DTLS connection.
`SSL::dtls_max_version_errors`: `count` `&redef`	Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended.
`SSL::max_alerts_per_record`: `count` `&redef`	Maximum number of Alert messages parsed from an SSL record with content_type alert (21).
`Storage::expire_interval`: `interval` `&redef`	The interval used by the storage framework for automatic expiration of elements in all backends that don’t support it natively, or if using expiration while reading pcap files.
`Telemetry::callback_timeout`: `interval` `&redef`	Maximum amount of time for CivetWeb HTTP threads to wait for metric callbacks to complete on the IO loop.
`Telemetry::civetweb_threads`: `count` `&redef`	Number of CivetWeb threads to use.
`Threading::heartbeat_interval`: `interval` `&redef`	The heartbeat interval used by the threading framework.
`Tunnel::delay_gtp_confirmation`: `bool` `&redef`	With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing `analyzer_confirmation_info`.
`Tunnel::delay_teredo_confirmation`: `bool` `&redef`	With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a `analyzer_confirmation_info`.
`Tunnel::ip_tunnel_timeout`: `interval` `&redef`	How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).
`Tunnel::max_changes_per_connection`: `count` `&redef`	The number of tunnel_changed events that will be sent for a connection.
`Tunnel::max_depth`: `count` `&redef`	The maximum depth of a tunnel to decapsulate until giving up.
`Tunnel::validate_vxlan_checksums`: `bool` `&redef`	Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation.
`UnknownProtocol::first_bytes_count`: `count` `&redef`	The number of bytes to extract from the next header and log in the first bytes field.
`UnknownProtocol::sampling_duration`: `interval` `&redef`	How long an analyzer/protocol pair is allowed to keep state/counters in in memory.
`UnknownProtocol::sampling_rate`: `count` `&redef`	The rate-limiting sampling rate.
`UnknownProtocol::sampling_threshold`: `count` `&redef`	How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited.
`WebSocket::payload_chunk_size`: `count` `&redef`	The WebSocket analyzer consumes and forwards frame payload in chunks to keep memory usage bounded.
`WebSocket::use_dpd_default`: `bool` `&redef`	Whether to enable DPD on WebSocket frame payload by default.
`WebSocket::use_spicy_analyzer`: `bool` `&redef`	Whether to use the Spicy WebSocket protocol analyzer.
`allow_network_time_forward`: `bool` `&redef`	Whether Zeek will forward network_time to the current time upon observing an idle packet source (or no configured packet source).
`bits_per_uid`: `count` `&redef`	Number of bits in UIDs that are generated to identify connections and files.
`cmd_line_bpf_filter`: `string` `&redef`	BPF filter the user has set via the -f command line options.
`detect_filtered_trace`: `bool` `&redef`	Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections.
`digest_salt`: `string` `&redef`	This salt value is used for several message digests in Zeek.
`dns_session_timeout`: `interval` `&redef`	Time to wait before timing out a DNS request.
`dpd_buffer_size`: `count` `&redef`	Size of per-connection buffer used for dynamic protocol detection.
`dpd_ignore_ports`: `bool` `&redef`	If true, don’t consider any ports for deciding which protocol analyzer to use.
`dpd_late_match_stop`: `bool` `&redef`	If true, stops signature matching after a late match.
`dpd_match_only_beginning`: `bool` `&redef`	If true, stops signature matching if `dpd_buffer_size` has been reached.
`dpd_max_packets`: `count` `&redef`	Maximum number of per-connection packets that will be buffered for dynamic protocol detection.
`dpd_reassemble_first_packets`: `bool` `&redef`	Reassemble the beginning of all TCP connections before doing signature matching.
`exit_only_after_terminate`: `bool` `&redef`	Flag to prevent Zeek from exiting automatically when input is exhausted.
`expensive_profiling_multiple`: `count` `&redef`	Multiples of `profiling_interval` at which (more expensive) memory profiling is done (0 disables).
`frag_timeout`: `interval` `&redef`	How long to hold onto fragments for possible reassembly.
`global_hash_seed`: `string` `&redef`	Seed for hashes computed internally for probabilistic data structures.
`icmp_inactivity_timeout`: `interval` `&redef`	If an ICMP flow is inactive, time it out after this interval.
`ignore_checksums`: `bool` `&redef`	If true, don’t verify checksums, and accept packets that give a length of zero in the IPv4 header.
`ignore_keep_alive_rexmit`: `bool` `&redef`	Ignore certain TCP retransmissions for `conn_stats`.
`io_poll_interval_default`: `count` `&redef`	How many rounds to go without checking IO sources with file descriptors for readiness by default.
`io_poll_interval_live`: `count` `&redef`	How often to check IO sources with file descriptors for readiness when monitoring with a live packet source.
`likely_server_ports`: `set` `&redef`	Ports which the core considers being likely used by servers.
`log_rotate_base_time`: `string` `&redef`	Base time of log rotations in 24-hour time format (`%H:%M`), e.g.
`max_analyzer_violations`: `count` `&redef`	The maximum number of analyzer violations the core generates before suppressing them for a given analyzer instance.
`max_find_all_string_length`: `int` `&redef`	Maximum string length allowed for calls to the `find_all` and `find_all_ordered` BIFs.
`max_timer_expires`: `count` `&redef`	The maximum number of expired timers to process after processing each new packet.
`mmdb_asn_db`: `string` `&redef`	Default name of the MaxMind ASN database file:
`mmdb_city_db`: `string` `&redef`	Default name of the MaxMind City database file:
`mmdb_country_db`: `string` `&redef`	Default name of the MaxMind Country database file:
`mmdb_dir`: `string` `&redef`	The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.
`mmdb_dir_fallbacks`: `vector` `&redef`	Fallback locations for MaxMind databases.
`mmdb_stale_check_interval`: `interval` `&redef`	Sets the interval for MaxMind DB file staleness checks.
`netbios_ssn_session_timeout`: `interval` `&redef`	The amount of time before a connection created by the netbios analyzer times out and is removed.
`non_analyzed_lifetime`: `interval` `&redef`	If a connection belongs to an application that we don’t analyze, time it out after this interval.
`packet_filter_default`: `bool` `&redef`	Default mode for Zeek’s user-space dynamic packet filter.
`packet_source_inactivity_timeout`: `interval` `&redef`	If a packet source does not yield packets for this amount of time, it is considered idle.
`partial_connection_ok`: `bool` `&redef`	If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.
`peer_description`: `string` `&redef`	Description transmitted to remote communication peers for identification.
`pkt_profile_freq`: `double` `&redef`	Frequency associated with packet profiling.
`pkt_profile_mode`: `pkt_profile_modes` `&redef`	Output mode for packet profiling information.
`profiling_interval`: `interval` `&redef`	Update interval for profiling (0 disables).
`record_all_packets`: `bool` `&redef`	If a trace file is given with `-w`, dump all packets seen by Zeek into it.
`report_gaps_for_partial`: `bool` `&redef`	Whether we want `content_gap` for partial connections.
`rpc_timeout`: `interval` `&redef`	Time to wait before timing out an RPC request.
`running_under_test`: `bool` `&redef`	Whether Zeek is being run under test.
`sig_max_group_size`: `count` `&redef`	Maximum size of regular expression groups for signature matching.
`skip_http_data`: `bool` `&redef`	Skip HTTP data for performance considerations.
`table_expire_delay`: `interval` `&redef`	When expiring table entries, wait this amount of time before checking the next chunk of entries.
`table_expire_interval`: `interval` `&redef`	Check for expired table entries after this amount of time.
`table_incremental_step`: `count` `&redef`	When expiring/serializing table entries, don’t work on more than this many table entries at a time.
`tcp_SYN_ack_ok`: `bool` `&redef`	If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if `partial_connection_ok` is false).
`tcp_SYN_timeout`: `interval` `&redef`	Check up on the result of an initial SYN after this much time.
`tcp_attempt_delay`: `interval` `&redef`	Wait this long upon seeing an initial SYN before timing out the connection attempt.
`tcp_close_delay`: `interval` `&redef`	Upon seeing a normal connection close, flush state after this much time.
`tcp_connection_linger`: `interval` `&redef`	When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long.
`tcp_content_deliver_all_orig`: `bool` `&redef`	If true, all TCP originator-side traffic is reported via `tcp_contents`.
`tcp_content_deliver_all_resp`: `bool` `&redef`	If true, all TCP responder-side traffic is reported via `tcp_contents`.
`tcp_content_delivery_ports_orig`: `table` `&redef`	Defines destination TCP ports for which the contents of the originator stream should be delivered via `tcp_contents`.
`tcp_content_delivery_ports_resp`: `table` `&redef`	Defines destination TCP ports for which the contents of the responder stream should be delivered via `tcp_contents`.
`tcp_excessive_data_without_further_acks`: `count` `&redef`	If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff.
`tcp_inactivity_timeout`: `interval` `&redef`	If a TCP connection is inactive, time it out after this interval.
`tcp_match_undelivered`: `bool` `&redef`	If true, pass any undelivered to the signature engine before flushing the state.
`tcp_max_above_hole_without_any_acks`: `count` `&redef`	If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection.
`tcp_max_initial_window`: `count` `&redef`	Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks).
`tcp_max_old_segments`: `count` `&redef`	Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies.
`tcp_partial_close_delay`: `interval` `&redef`	Generate a `connection_partial_close` event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.
`tcp_reset_delay`: `interval` `&redef`	Upon seeing a RST, flush state after this much time.
`tcp_session_timer`: `interval` `&redef`	After a connection has closed, wait this long for further activity before checking whether to time out its state.
`tcp_storm_interarrival_thresh`: `interval` `&redef`	FINs/RSTs must come with this much time or less between them to be considered a “storm”.
`tcp_storm_thresh`: `count` `&redef`	Number of FINs/RSTs in a row that constitute a “storm”.
`truncate_http_URI`: `int` `&redef`	Maximum length of HTTP URIs passed to events.
`udp_content_deliver_all_orig`: `bool` `&redef`	If true, all UDP originator-side traffic is reported via `udp_contents`.
`udp_content_deliver_all_resp`: `bool` `&redef`	If true, all UDP responder-side traffic is reported via `udp_contents`.
`udp_content_delivery_ports_orig`: `table` `&redef`	Defines UDP destination ports for which the contents of the originator stream should be delivered via `udp_contents`.
`udp_content_delivery_ports_resp`: `table` `&redef`	Defines UDP destination ports for which the contents of the responder stream should be delivered via `udp_contents`.
`udp_inactivity_timeout`: `interval` `&redef`	If a UDP flow is inactive, time it out after this interval.
`unknown_ip_inactivity_timeout`: `interval` `&redef`	If a flow with an unknown IP-based protocol is inactive, time it out after this interval.
`use_conn_size_analyzer`: `bool` `&redef`	Whether to use the `ConnSize` analyzer to count the number of packets and IP-level bytes transferred by each endpoint.
`watchdog_interval`: `interval` `&redef`	Zeek’s watchdog interval.

Constants

`CONTENTS_BOTH`: `count`	Record both originator and responder contents.
`CONTENTS_NONE`: `count`	Turn off recording of contents.
`CONTENTS_ORIG`: `count`	Record originator contents.
`CONTENTS_RESP`: `count`	Record responder contents.
`DNS_ADDL`: `count`	An additional record.
`DNS_ANS`: `count`	An answer record.
`DNS_AUTH`: `count`	An authoritative record.
`DNS_PREREQUISITE`: `count`	A prerequisite record for dynamic update.
`DNS_QUERY`: `count`	A query.
`DNS_UPDATE`: `count`	A update record for dynamic update.
`ENDIAN_BIG`: `count`	Big endian.
`ENDIAN_CONFUSED`: `count`	Tried to determine endian, but failed.
`ENDIAN_LITTLE`: `count`	Little endian.
`ENDIAN_UNKNOWN`: `count`	Endian not yet determined.
`ICMP_UNREACH_ADMIN_PROHIB`: `count`	Administratively prohibited.
`ICMP_UNREACH_HOST`: `count`	Host unreachable.
`ICMP_UNREACH_NEEDFRAG`: `count`	Fragment needed.
`ICMP_UNREACH_NET`: `count`	Network unreachable.
`ICMP_UNREACH_PORT`: `count`	Port unreachable.
`ICMP_UNREACH_PROTOCOL`: `count`	Protocol unreachable.
`IPPROTO_AH`: `count`	IPv6 authentication header.
`IPPROTO_DSTOPTS`: `count`	IPv6 destination options header.
`IPPROTO_ESP`: `count`	IPv6 encapsulating security payload header.
`IPPROTO_FRAGMENT`: `count`	IPv6 fragment header.
`IPPROTO_HOPOPTS`: `count`	IPv6 hop-by-hop-options header.
`IPPROTO_ICMP`: `count`	Control message protocol.
`IPPROTO_ICMPV6`: `count`	ICMP for IPv6.
`IPPROTO_IGMP`: `count`	Group management protocol.
`IPPROTO_IP`: `count`	Dummy for IP.
`IPPROTO_IPIP`: `count`	IP encapsulation in IP.
`IPPROTO_IPV6`: `count`	IPv6 header.
`IPPROTO_MOBILITY`: `count`	IPv6 mobility header.
`IPPROTO_NONE`: `count`	IPv6 no next header.
`IPPROTO_RAW`: `count`	Raw IP packet.
`IPPROTO_ROUTING`: `count`	IPv6 routing header.
`IPPROTO_TCP`: `count`	TCP.
`IPPROTO_UDP`: `count`	User datagram protocol.
`LOGIN_STATE_AUTHENTICATE`: `count`
`LOGIN_STATE_CONFUSED`: `count`
`LOGIN_STATE_LOGGED_IN`: `count`
`LOGIN_STATE_SKIP`: `count`
`RPC_status`: `table`	Mapping of numerical RPC status codes to readable messages.
`SNMP::OBJ_COUNTER32_TAG`: `count`	Unsigned 32-bit integer.
`SNMP::OBJ_COUNTER64_TAG`: `count`	Unsigned 64-bit integer.
`SNMP::OBJ_ENDOFMIBVIEW_TAG`: `count`	A NULL value.
`SNMP::OBJ_INTEGER_TAG`: `count`	Signed 64-bit integer.
`SNMP::OBJ_IPADDRESS_TAG`: `count`	An IP address.
`SNMP::OBJ_NOSUCHINSTANCE_TAG`: `count`	A NULL value.
`SNMP::OBJ_NOSUCHOBJECT_TAG`: `count`	A NULL value.
`SNMP::OBJ_OCTETSTRING_TAG`: `count`	An octet string.
`SNMP::OBJ_OID_TAG`: `count`	An Object Identifier.
`SNMP::OBJ_OPAQUE_TAG`: `count`	An octet string.
`SNMP::OBJ_TIMETICKS_TAG`: `count`	Unsigned 32-bit integer.
`SNMP::OBJ_UNSIGNED32_TAG`: `count`	Unsigned 32-bit integer.
`SNMP::OBJ_UNSPECIFIED_TAG`: `count`	A NULL value.
`TCP_CLOSED`: `count`	Endpoint has closed connection.
`TCP_ESTABLISHED`: `count`	Endpoint has finished initial handshake regularly.
`TCP_INACTIVE`: `count`	Error string if unsuccessful.
`TCP_PARTIAL`: `count`	Endpoint has sent data but no initial SYN.
`TCP_RESET`: `count`	Endpoint has sent RST.
`TCP_SYN_ACK_SENT`: `count`	Endpoint has sent SYN/ACK.
`TCP_SYN_SENT`: `count`	Endpoint has sent SYN.
`TH_ACK`: `count`	ACK.
`TH_FIN`: `count`	FIN.
`TH_FLAGS`: `count`	Mask combining all flags.
`TH_PUSH`: `count`	PUSH.
`TH_RST`: `count`	RST.
`TH_SYN`: `count`	SYN.
`TH_URG`: `count`	URG.
`UDP_ACTIVE`: `count`	Endpoint has sent something.
`UDP_INACTIVE`: `count`	Endpoint is still inactive.
`trace_output_file`: `string`	Holds the filename of the trace file given with `-w` (empty if none).
`zeek_script_args`: `vector`	Arguments given to Zeek from the command line.

State Variables

`capture_filters`: `table` `&redef`	Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique).
`direct_login_prompts`: `set` `&redef`	TODO.
`discarder_maxlen`: `count` `&redef`	Maximum length of payload passed to discarder functions.
`dns_max_queries`: `count` `&redef`	If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it.
`dns_skip_addl`: `set` `&redef`	For DNS servers in these sets, omit processing the ADDL records they include in their replies.
`dns_skip_all_addl`: `bool` `&redef`	If true, all DNS ADDL records are skipped.
`dns_skip_all_auth`: `bool` `&redef`	If true, all DNS AUTH records are skipped.
`dns_skip_auth`: `set` `&redef`	For DNS servers in these sets, omit processing the AUTH records they include in their replies.
`done_with_network`: `bool`
`http_entity_data_delivery_size`: `count` `&redef`	Maximum number of HTTP entity data delivered to events.
`interfaces`: `string` `&add_func` = `add_interface` `&redef`	Network interfaces to listen on.
`login_failure_msgs`: `set` `&redef`	TODO.
`login_non_failure_msgs`: `set` `&redef`	TODO.
`login_prompts`: `set` `&redef`	TODO.
`login_success_msgs`: `set` `&redef`	TODO.
`login_timeouts`: `set` `&redef`	TODO.
`mime_segment_length`: `count` `&redef`	The length of MIME data segments delivered to handlers of `mime_segment_data`.
`mime_segment_overlap_length`: `count` `&redef`	The number of bytes of overlap between successive segments passed to `mime_segment_data`.
`pkt_profile_file`: `file` `&redef`	File where packet profiles are logged.
`profiling_file`: `file` `&redef`	Write profiling info into this file in regular intervals.
`restrict_filters`: `table` `&redef`	Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).
`secondary_filters`: `table` `&redef`	Definition of “secondary filters”.
`signature_files`: `string` `&add_func` = `add_signature_file` `&redef`	Signature files to read.
`skip_authentication`: `set` `&redef`	TODO.

Types

`Analyzer::disabling_analyzer`: `hook` `&redef`	A hook taking a connection, analyzer tag and analyzer id that can be used to veto disabling protocol analyzers.
`AnalyzerConfirmationInfo`: `record`	Generic analyzer confirmation info record.
`AnalyzerViolationInfo`: `record`	Generic analyzer violation info record.
`Backtrace`: `vector`	A representation of a Zeek script’s call stack.
`BacktraceElement`: `record`	A representation of an element in a Zeek script’s call stack.
`BrokerPeeringStats`: `record`	Broker statistics for an individual peering.
`BrokerPeeringStatsTable`: `table`
`BrokerStats`: `record`	Statistics about Broker communication.
`Cluster::Pool`: `record`	A pool used for distributing data/work among a set of cluster nodes.
`ConnStats`: `record`
`DHCP::Addrs`: `vector`	A list of addresses offered by a DHCP server.
`DHCP::ClientFQDN`: `record`	DHCP Client FQDN Option information (Option 81)
`DHCP::ClientID`: `record`	DHCP Client Identifier (Option 61)
`DHCP::Msg`: `record`	A DHCP message.
`DHCP::Options`: `record`
`DHCP::SubOpt`: `record`	DHCP Relay Agent Information Option (Option 82)
`DHCP::SubOpts`: `vector`
`DNSStats`: `record`	Statistics related to Zeek’s active use of DNS.
`EncapsulatingConnVector`: `vector`	A type alias for a vector of encapsulating “connections”, i.e.
`EventMetadata::Entry`: `record`	A event metadata entry.
`EventMetadata::ID`: `enum`	Enum type for metadata identifiers.
`EventNameCounter`: `record` `&log`	Statistics about how many times each event name is queued.
`EventNameStats`: `vector`
`EventStats`: `record`
`FileAnalysisStats`: `record`	Statistics of file analysis.
`GapStats`: `record`	Statistics about number of gaps in TCP connections.
`IPAddrAnonymization`: `enum`
`IPAddrAnonymizationClass`: `enum`
`JSON::TimestampFormat`: `enum`
`KRB::AP_Options`: `record`	AP Options.
`KRB::Encrypted_Data`: `record`
`KRB::Error_Msg`: `record`	The data from the ERROR_MSG message.
`KRB::Host_Address`: `record`	A Kerberos host address See RFC 4120.
`KRB::Host_Address_Vector`: `vector`
`KRB::KDC_Options`: `record`	KDC Options.
`KRB::KDC_Request`: `record`	The data from the AS_REQ and TGS_REQ messages.
`KRB::KDC_Response`: `record`	The data from the AS_REQ and TGS_REQ messages.
`KRB::SAFE_Msg`: `record`	The data from the SAFE message.
`KRB::Ticket`: `record`	A Kerberos ticket.
`KRB::Ticket_Vector`: `vector`
`KRB::Type_Value`: `record`	Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
`KRB::Type_Value_Vector`: `vector`
`MOUNT3::dirmntargs_t`: `record`	MOUNT mnt arguments.
`MOUNT3::info_t`: `record`	Record summarizing the general results and status of MOUNT3 request/reply pairs.
`MOUNT3::mnt_reply_t`: `record`	MOUNT lookup reply.
`MQTT::ConnectAckMsg`: `record`
`MQTT::ConnectMsg`: `record`
`MQTT::PublishMsg`: `record`
`MatcherStats`: `record`	Statistics of all regular expression matchers.
`ModbusCoils`: `vector`	A vector of boolean values that indicate the setting for a range of modbus coils.
`ModbusFileRecordRequest`: `record`
`ModbusFileRecordRequests`: `vector`
`ModbusFileRecordResponse`: `record`
`ModbusFileRecordResponses`: `vector`
`ModbusFileReference`: `record`
`ModbusFileReferences`: `vector`
`ModbusHeaders`: `record`
`ModbusRegisters`: `vector`	A vector of count values that represent 16bit modbus register values.
`NFS3::delobj_reply_t`: `record`	NFS reply for remove, rmdir.
`NFS3::direntry_t`: `record`	NFS direntry.
`NFS3::direntry_vec_t`: `vector`	Vector of NFS direntry.
`NFS3::diropargs_t`: `record`	NFS readdir arguments.
`NFS3::fattr_t`: `record`	NFS file attributes.
`NFS3::fsstat_t`: `record`	NFS fsstat.
`NFS3::info_t`: `record`	Record summarizing the general results and status of NFSv3 request/reply pairs.
`NFS3::link_reply_t`: `record`	NFS link reply.
`NFS3::linkargs_t`: `record`	NFS link arguments.
`NFS3::lookup_reply_t`: `record`	NFS lookup reply.
`NFS3::newobj_reply_t`: `record`	NFS reply for create, mkdir, and symlink.
`NFS3::read_reply_t`: `record`	NFS read reply.
`NFS3::readargs_t`: `record`	NFS read arguments.
`NFS3::readdir_reply_t`: `record`	NFS readdir reply.
`NFS3::readdirargs_t`: `record`	NFS readdir arguments.
`NFS3::readlink_reply_t`: `record`	NFS readline reply.
`NFS3::renameobj_reply_t`: `record`	NFS reply for rename.
`NFS3::renameopargs_t`: `record`	NFS rename arguments.
`NFS3::sattr_reply_t`: `record`	NFS sattr reply.
`NFS3::sattr_t`: `record`	NFS file attributes.
`NFS3::sattrargs_t`: `record`	NFS sattr arguments.
`NFS3::symlinkargs_t`: `record`	NFS symlink arguments.
`NFS3::symlinkdata_t`: `record`	NFS symlinkdata attributes.
`NFS3::wcc_attr_t`: `record`	NFS wcc attributes.
`NFS3::write_reply_t`: `record`	NFS write reply.
`NFS3::writeargs_t`: `record`	NFS write arguments.
`NTLM::AVs`: `record`
`NTLM::Authenticate`: `record`
`NTLM::Challenge`: `record`
`NTLM::Negotiate`: `record`
`NTLM::NegotiateFlags`: `record`
`NTLM::Version`: `record`
`NTP::ControlMessage`: `record`	NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.
`NTP::Message`: `record`	NTP message as defined in RFC 5905.
`NTP::Mode7Message`: `record`	NTP mode 7 message.
`NTP::StandardMessage`: `record`	NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard synchronization operations.
`NetStats`: `record`	Packet capture statistics.
`PE::DOSHeader`: `record`
`PE::FileHeader`: `record`
`PE::OptionalHeader`: `record`
`PE::SectionHeader`: `record`	Record for Portable Executable (PE) section headers.
`PacketSource`: `record`	Properties of an I/O packet source being read by Zeek.
`Pcap::Interface`: `record`	The definition of a “pcap interface”.
`Pcap::Interfaces`: `set`
`Pcap::filter_state`: `enum`	The state of the compilation for a pcap filter.
`PcapFilterID`: `enum`	Enum type identifying dynamic BPF filters.
`PluginComponent`: `record`	Record containing information about a tag.
`ProcStats`: `record`	Statistics about Zeek’s process.
`RADIUS::AttributeList`: `vector`
`RADIUS::Attributes`: `table`
`RADIUS::Message`: `record`
`RDP::ClientChannelDef`: `record`	Name and flags for a single channel requested by the client.
`RDP::ClientChannelList`: `vector`	The list of channels requested by the client.
`RDP::ClientClusterData`: `record`	The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.
`RDP::ClientCoreData`: `record`
`RDP::ClientSecurityData`: `record`	The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.
`RDP::EarlyCapabilityFlags`: `record`
`ReassemblerStats`: `record`	Holds statistics for all types of reassembly.
`ReporterStats`: `record`	Statistics about reporter messages and weirds.
`SMB1::Find_First2_Request_Args`: `record`
`SMB1::Find_First2_Response_Args`: `record`
`SMB1::Header`: `record`	An SMB1 header.
`SMB1::NegotiateCapabilities`: `record`
`SMB1::NegotiateRawMode`: `record`
`SMB1::NegotiateResponse`: `record`
`SMB1::NegotiateResponseCore`: `record`
`SMB1::NegotiateResponseLANMAN`: `record`
`SMB1::NegotiateResponseNTLM`: `record`
`SMB1::NegotiateResponseSecurity`: `record`
`SMB1::SessionSetupAndXCapabilities`: `record`
`SMB1::SessionSetupAndXRequest`: `record`
`SMB1::SessionSetupAndXResponse`: `record`
`SMB1::Trans2_Args`: `record`
`SMB1::Trans2_Sec_Args`: `record`
`SMB1::Trans_Sec_Args`: `record`
`SMB2::CloseResponse`: `record`	The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.
`SMB2::CompressionCapabilities`: `record`	Compression information as defined in SMB v.
`SMB2::CreateRequest`: `record`	The request sent by the client to request either creation of or access to a file.
`SMB2::CreateResponse`: `record`	The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.
`SMB2::EncryptionCapabilities`: `record`	Encryption information as defined in SMB v.
`SMB2::FileAttrs`: `record`	A series of boolean flags describing basic and extended file attributes for SMB2.
`SMB2::FileEA`: `record`	This information class is used to query or set extended attribute (EA) information for a file.
`SMB2::FileEAs`: `vector`	A vector of extended attribute (EA) information for a file.
`SMB2::Fscontrol`: `record`	A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.
`SMB2::GUID`: `record`	An SMB2 globally unique identifier which identifies a file.
`SMB2::Header`: `record`	An SMB2 header.
`SMB2::NegotiateContextValue`: `record`	The context type information as defined in SMB v.
`SMB2::NegotiateContextValues`: `vector`
`SMB2::NegotiateResponse`: `record`	The response to an SMB2 negotiate request, which is used by the client to notify the server what dialects of the SMB2 protocol the client understands.
`SMB2::PreAuthIntegrityCapabilities`: `record`	Preauthentication information as defined in SMB v.
`SMB2::SessionSetupFlags`: `record`	A flags field that indicates additional information about the session that’s sent in the session_setup response.
`SMB2::SessionSetupRequest`: `record`	The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
`SMB2::SessionSetupResponse`: `record`	The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
`SMB2::Transform_header`: `record`	An SMB2 transform header (for SMB 3.x dialects with encryption enabled).
`SMB2::TreeConnectResponse`: `record`	The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.
`SMB::MACTimes`: `record`	MAC times for a file.
`SNMP::Binding`: `record`	The `VarBind` data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.
`SNMP::Bindings`: `vector`	A `VarBindList` data structure from either RFC 1157 or RFC 3416.
`SNMP::BulkPDU`: `record`	A `BulkPDU` data structure from RFC 3416.
`SNMP::Header`: `record`	A generic SNMP header data structure that may include data from any version of SNMP.
`SNMP::HeaderV1`: `record`	The top-level message data structure of an SNMPv1 datagram, not including the PDU data.
`SNMP::HeaderV2`: `record`	The top-level message data structure of an SNMPv2 datagram, not including the PDU data.
`SNMP::HeaderV3`: `record`	The top-level message data structure of an SNMPv3 datagram, not including the PDU data.
`SNMP::ObjectValue`: `record`	A generic SNMP object value, that may include any of the valid `ObjectSyntax` values from RFC 1155 or RFC 3416.
`SNMP::PDU`: `record`	A `PDU` data structure from either RFC 1157 or RFC 3416.
`SNMP::ScopedPDU_Context`: `record`	The `ScopedPduData` data structure of an SNMPv3 datagram, not including the PDU data (i.e.
`SNMP::TrapPDU`: `record`	A `Trap-PDU` data structure from RFC 1157.
`SNMP::UserSecurityParameters`: `record`	The UserSecurityParaneters for SNMPv3 messages using the User-based Security Model.
`SOCKS::Address`: `record` `&log`	This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.
`SSH::Algorithm_Prefs`: `record`	The client and server each have some preferences for the algorithms used in each direction.
`SSH::Capabilities`: `record`	This record lists the preferences of an SSH endpoint for algorithm selection.
`SSL::PSKIdentity`: `record`
`SSL::SignatureAndHashAlgorithm`: `record`
`SYN_packet`: `record`	Fields of a SYN packet.
`Storage::OperationResult`: `record`	Returned as the result of the various storage operations.
`Storage::ReturnCode`: `enum` `&redef`	Common set of statuses that can be returned by storage operations.
`TCP::Option`: `record`	A TCP Option field parsed from a TCP header.
`TCP::OptionList`: `vector`	The full list of TCP Option fields parsed from a TCP header.
`TCP::RawOption`: `record`	A Raw TCP Option field from a TCP header
`TCP::RawOptionList`: `vector`	The full list of TCP option fields in a TCP header.
`Telemetry::HistogramMetric`: `record`	Histograms returned by the `Telemetry::collect_histogram_metrics` function.
`Telemetry::HistogramMetricVector`: `vector`
`Telemetry::Metric`: `record`	Metrics returned by the `Telemetry::collect_metrics` function.
`Telemetry::MetricOpts`: `record`	Type that captures options used to create metrics.
`Telemetry::MetricVector`: `vector`
`ThreadStats`: `record`	Statistics about threads.
`TimerStats`: `record`	Statistics of timers.
`Tunnel::EncapsulatingConn`: `record` `&log`	Records the identity of an encapsulating parent of a tunneled connection.
`WebSocket::AnalyzerConfig`: `record`	Record type that is passed to `WebSocket::configure_analyzer`.
`X509::BasicConstraints`: `record` `&log`
`X509::Certificate`: `record`
`X509::Extension`: `record`
`X509::Result`: `record`	Result of an X509 certificate chain verification
`X509::SubjectAlternativeName`: `record`
`addr_set`: `set`	A set of addresses.
`addr_vec`: `vector`	A vector of addresses.
`any_vec`: `vector`	A vector of any, used by some builtin functions to store a list of varying types.
`assertion_failure`: `hook`	A hook that is invoked when an assert statement fails.
`assertion_result`: `hook`	A hook that is invoked with the result of every assert statement.
`bittorrent_benc_dir`: `table`	A table of BitTorrent “benc” values.
`bittorrent_benc_value`: `record`	BitTorrent “benc” value.
`bittorrent_peer`: `record`	A BitTorrent peer.
`bittorrent_peer_set`: `set`	A set of BitTorrent peers.
`bt_tracker_headers`: `table`	Header table type used by BitTorrent analyzer.
`call_argument`: `record`	Meta-information about a parameter to a function/event.
`call_argument_vector`: `vector`	Vector type used to capture parameters of a function/event call.
`conn_id`: `record`	A connection’s identifying 4-tuple of endpoints and ports.
`conn_id_ctx`: `record`	A record type containing the context of a conn_id instance.
`connection`: `record`	A connection.
`count_set`: `set`	A set of counts.
`dns_answer`: `record`	The general part of a DNS reply.
`dns_binds_rr`: `record`	A Private RR type BINDS record.
`dns_dnskey_rr`: `record`	A DNSSEC DNSKEY record.
`dns_ds_rr`: `record`	A DNSSEC DS record.
`dns_edns_additional`: `record`	An additional DNS EDNS record.
`dns_edns_cookie`: `record`	An DNS EDNS COOKIE (COOKIE) record.
`dns_edns_ecs`: `record`	An DNS EDNS Client Subnet (ECS) record.
`dns_edns_tcp_keepalive`: `record`	An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.
`dns_loc_rr`: `record`	A Private RR type LOC record.
`dns_mapping`: `record`
`dns_msg`: `record`	A DNS message.
`dns_naptr_rr`: `record`	A NAPTR record.
`dns_nsec3_rr`: `record`	A DNSSEC NSEC3 record.
`dns_nsec3param_rr`: `record`	A DNSSEC NSEC3PARAM record.
`dns_rrsig_rr`: `record`	A DNSSEC RRSIG record.
`dns_soa`: `record`	A DNS SOA record.
`dns_svcb_param`: `record`	A SvcParamKey with an optional SvcParamValue.
`dns_svcb_param_vec`: `vector`
`dns_svcb_rr`: `record`	A SVCB or HTTPS record.
`dns_tkey`: `record`	A DNS TKEY record.
`dns_tsig_additional`: `record`	An additional DNS TSIG record.
`double_vec`: `vector`	A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds.
`endpoint`: `record`	Statistics about a `connection` endpoint.
`endpoint_stats`: `record`	Statistics about what a TCP endpoint sent.
`entropy_test_result`: `record`	Computed entropy values.
`event_metadata_vec`: `vector`	A type alias for event metadata.
`fa_file`: `record` `&redef`	File Analysis handle for a file that Zeek is analyzing.
`fa_metadata`: `record`	File Analysis metadata that’s been inferred about a particular file.
`files_tag_set`: `set`	A set of file analyzer tags.
`flow_id`: `record` `&log`	The identifying 4-tuple of a uni-directional flow.
`from_json_result`: `record`	Return type for from_json BIF.
`ftp_port`: `record`	A parsed host/port combination describing server endpoint for an upcoming data transfer.
`geo_autonomous_system`: `record` `&log`	GeoIP autonomous system information.
`geo_location`: `record` `&log`	GeoIP location information.
`gtp_access_point_name`: `string`
`gtp_cause`: `count`
`gtp_charging_characteristics`: `count`
`gtp_charging_gateway_addr`: `addr`
`gtp_charging_id`: `count`
`gtp_create_pdp_ctx_request_elements`: `record`
`gtp_create_pdp_ctx_response_elements`: `record`
`gtp_delete_pdp_ctx_request_elements`: `record`
`gtp_delete_pdp_ctx_response_elements`: `record`
`gtp_end_user_addr`: `record`
`gtp_gsn_addr`: `record`
`gtp_imsi`: `count`
`gtp_msisdn`: `string`
`gtp_nsapi`: `count`
`gtp_omc_id`: `string`
`gtp_private_extension`: `record`
`gtp_proto_config_options`: `string`
`gtp_qos_profile`: `record`
`gtp_rai`: `record`
`gtp_recovery`: `count`
`gtp_reordering_required`: `bool`
`gtp_selection_mode`: `count`
`gtp_teardown_ind`: `bool`
`gtp_teid1`: `count`
`gtp_teid_control_plane`: `count`
`gtp_tft`: `string`
`gtp_trace_reference`: `count`
`gtp_trace_type`: `count`
`gtp_trigger_id`: `string`
`gtp_update_pdp_ctx_request_elements`: `record`
`gtp_update_pdp_ctx_response_elements`: `record`
`gtpv1_hdr`: `record`	A GTPv1 (GPRS Tunneling Protocol) header.
`http_message_stat`: `record`	HTTP message statistics.
`http_stats_rec`: `record`	HTTP session statistics.
`icmp6_nd_option`: `record`	Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.
`icmp6_nd_options`: `vector`	A type alias for a vector of ICMPv6 neighbor discovery message options.
`icmp6_nd_prefix_info`: `record`	Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.
`icmp_context`: `record`	Packet context part of an ICMP message.
`icmp_hdr`: `record`	Values extracted from an ICMP header.
`icmp_info`: `record`	Specifics about an ICMP conversation/packet.
`id_table`: `table`	Table type used to map script-level identifiers to meta-information describing them.
`index_vec`: `vector`	A vector of counts, used by some builtin functions to store a list of indices.
`int_vec`: `vector`	A vector of integers, used by telemetry builtin functions to store histogram bounds.
`interval_set`: `set`	A set of intervals.
`ip4_hdr`: `record`	Values extracted from an IPv4 header.
`ip6_ah`: `record`	Values extracted from an IPv6 Authentication extension header.
`ip6_dstopts`: `record`	Values extracted from an IPv6 Destination options extension header.
`ip6_esp`: `record`	Values extracted from an IPv6 ESP extension header.
`ip6_ext_hdr`: `record`	A general container for a more specific IPv6 extension header.
`ip6_ext_hdr_chain`: `vector`	A type alias for a vector of IPv6 extension headers.
`ip6_fragment`: `record`	Values extracted from an IPv6 Fragment extension header.
`ip6_hdr`: `record`	Values extracted from an IPv6 header.
`ip6_hopopts`: `record`	Values extracted from an IPv6 Hop-by-Hop options extension header.
`ip6_mobility_back`: `record`	Values extracted from an IPv6 Mobility Binding Acknowledgement message.
`ip6_mobility_be`: `record`	Values extracted from an IPv6 Mobility Binding Error message.
`ip6_mobility_brr`: `record`	Values extracted from an IPv6 Mobility Binding Refresh Request message.
`ip6_mobility_bu`: `record`	Values extracted from an IPv6 Mobility Binding Update message.
`ip6_mobility_cot`: `record`	Values extracted from an IPv6 Mobility Care-of Test message.
`ip6_mobility_coti`: `record`	Values extracted from an IPv6 Mobility Care-of Test Init message.
`ip6_mobility_hdr`: `record`	Values extracted from an IPv6 Mobility header.
`ip6_mobility_hot`: `record`	Values extracted from an IPv6 Mobility Home Test message.
`ip6_mobility_hoti`: `record`	Values extracted from an IPv6 Mobility Home Test Init message.
`ip6_mobility_msg`: `record`	Values extracted from an IPv6 Mobility header’s message data.
`ip6_option`: `record`	Values extracted from an IPv6 extension header’s (e.g.
`ip6_options`: `vector`	A type alias for a vector of IPv6 options.
`ip6_routing`: `record`	Values extracted from an IPv6 Routing extension header.
`irc_join_info`: `record`	IRC join information.
`irc_join_list`: `set`	Set of IRC join information.
`l2_hdr`: `record`	Values extracted from the layer 2 header.
`mime_header_list`: `table`	A list of MIME headers.
`mime_header_rec`: `record`	A MIME header key/value pair.
`mime_match`: `record`	A structure indicating a MIME type and strength of a match against file magic signatures.
`mime_matches`: `vector`	A vector of file magic signature matches, ordered by strength of the signature, strongest first.
`pcap_packet`: `record`	Policy-level representation of a packet passed on by libpcap.
`pkt_hdr`: `record`	A packet header, consisting of an IP header and transport-layer header.
`pkt_profile_modes`: `enum`	Output modes for packet profiling information.
`plugin_component_vec`: `vector`
`pm_callit_request`: `record`	An RPC portmapper callit request.
`pm_mapping`: `record`	An RPC portmapper mapping.
`pm_mappings`: `table`	Table of RPC portmapper mappings.
`pm_port_request`: `record`	An RPC portmapper request.
`psk_identity_vec`: `vector`
`raw_pkt_hdr`: `record`	A raw packet header, consisting of L2 header and everything in `pkt_hdr`.
`record_field`: `record`	Meta-information about a record field.
`record_field_table`: `table`	Table type used to map record field declarations to meta-information describing them.
`rotate_info`: `record`
`script_id`: `record`	Meta-information about a script-level identifier.
`signature_and_hashalgorithm_vec`: `vector`	A vector of Signature and Hash Algorithms.
`signature_state`: `record`	Description of a signature match.
`string_any_file_hook`: `hook`	A hook taking a fa_file, an any, and a string.
`string_any_table`: `table`	A string-table of any.
`string_array`: `table`	An ordered array of strings.
`string_mapper`: `function`	Function mapping a string to a string.
`string_set`: `set`	A set of strings.
`string_vec`: `vector`	A vector of strings.
`subnet_set`: `set`	A set of subnets.
`subnet_vec`: `vector`	A vector of subnets.
`sw_align`: `record`	Helper type for return value of Smith-Waterman algorithm.
`sw_align_vec`: `vector`	Helper type for return value of Smith-Waterman algorithm.
`sw_params`: `record`	Parameters for the Smith-Waterman algorithm.
`sw_substring`: `record`	Helper type for return value of Smith-Waterman algorithm.
`sw_substring_vec`: `vector`	Return type for Smith-Waterman algorithm.
`table_string_of_count`: `table`	A table of counts indexed by strings.
`table_string_of_string`: `table`	A table of strings indexed by strings.
`tcp_hdr`: `record`	Values extracted from a TCP header.
`teredo_auth`: `record`	A Teredo origin indication header.
`teredo_hdr`: `record`	A Teredo packet header.
`teredo_origin`: `record`	A Teredo authentication header.
`transport_proto`: `enum`	A connection’s transport-layer protocol.
`udp_hdr`: `record`	Values extracted from a UDP header.
`var_sizes`: `table`	Table type used to map variable names to their memory allocation.
`x509_opaque_vector`: `vector`	A vector of x509 opaques.
`ConnKey::Tag`: `enum`

Hooks

Telemetry::sync: hook

Telemetry sync hook.

Functions

`add_interface`: `function`	Internal function.
`add_signature_file`: `function`	Internal function.
`discarder_check_icmp`: `function`	Function for skipping packets based on their ICMP header.
`discarder_check_ip`: `function`	Function for skipping packets based on their IP header.
`discarder_check_tcp`: `function`	Function for skipping packets based on their TCP header.
`discarder_check_udp`: `function`	Function for skipping packets based on their UDP header.
`from_json_default_key_mapper`: `function`	The default JSON key mapper function.
`max_count`: `function`	Returns maximum of two `count` values.
`max_double`: `function`	Returns maximum of two `double` values.
`max_interval`: `function`	Returns maximum of two `interval` values.
`min_count`: `function`	Returns minimum of two `count` values.
`min_double`: `function`	Returns minimum of two `double` values.
`min_interval`: `function`	Returns minimum of two `interval` values.

Detailed Interface

Runtime Options

MQTT::max_payload_size 

Type:: count
Attributes:: &redef
Default:: 100

The maximum payload size to allocate for the purpose of payload information in mqtt_publish events (and the default MQTT logs generated from that).

Weird::sampling_duration 

Type:: interval
Attributes:: &redef
Default:: 10.0 mins

How long a weird of a given type is allowed to keep state/counters in memory. For “net” weirds an expiration timer starts per weird name when first initializing its counter. For “flow” weirds an expiration timer starts once per src/dst IP pair for the first weird of any name. For “conn” weirds, counters and expiration timers are kept for the duration of the connection for each named weird and reset when necessary. E.g. if a “conn” weird by the name of “foo” is seen more than Weird::sampling_threshold times, then an expiration timer begins for “foo” and upon triggering will reset the counter for “foo” and unthrottle its rate-limiting until it once again exceeds the threshold.

Weird::sampling_global_list 

Type:: set [string]
Attributes:: &redef
Default:: {}

Rate-limits weird names in the table globally instead of per connection/flow.

Weird::sampling_rate 

Type:: count
Attributes:: &redef
Default:: 1000

The rate-limiting sampling rate. One out of every of this number of rate-limited weirds of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited weirds.

Weird::sampling_threshold 

Type:: count
Attributes:: &redef
Default:: 25

How many weirds of a given type to tolerate before sampling begins. I.e. this many consecutive weirds of a given type will be allowed to raise events for script-layer handling before being rate-limited.

Weird::sampling_whitelist 

Type:: set [string]
Attributes:: &redef
Default:: {}

Prevents rate-limiting sampling of any weirds named in the table.

default_file_bof_buffer_size 

Type:

count

Attributes:

&redef

Default:

4096

Redefinition:

from policy/frameworks/signatures/iso-9660.zeek

=:

2048 * (16 + 1)

Default amount of bytes that file analysis will buffer in order to use for mime type matching. File analyzers attached at the time of mime type matching or later, will receive a copy of this buffer.

default_file_timeout_interval 

Type:: interval
Attributes:: &redef
Default:: 2.0 mins

Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

ignore_checksums_nets 

Type:: set [subnet]
Attributes:: &redef
Default:: {}

Checksums are ignored for all packets with a src address within this set of networks. Useful for cases where a host might be seeing packets collected from local hosts before checksums were applied by hardware. This frequently manifests when sniffing a local management interface on a host and Zeek sees packets before the hardware has had a chance to apply the checksums.

udp_content_delivery_ports_use_resp 

Type:: bool
Attributes:: &redef
Default:: F

Whether ports given in udp_content_delivery_ports_orig and udp_content_delivery_ports_resp are in terms of UDP packet’s destination port or the UDP connection’s “responder” port.

udp_content_ports 

Type:: set [port]
Attributes:: &redef
Default:: {}

Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via udp_contents.

Redefinable Options

AF_Packet::block_size 

Type:: count
Attributes:: &redef
Default:: 32768

Size of an individual block. Needs to be a multiple of page size.

AF_Packet::block_timeout 

Type:: interval
Attributes:: &redef
Default:: 10.0 msecs

Retire timeout for a single block.

AF_Packet::buffer_size 

Type:: count
Attributes:: &redef
Default:: 134217728

Size of the ring-buffer.

AF_Packet::checksum_validation_mode 

Type:: AF_Packet::ChecksumMode
Attributes:: &redef
Default:: AF_Packet::CHECKSUM_ON

Checksum validation mode.

AF_Packet::enable_defrag 

Type:: bool
Attributes:: &redef
Default:: F

Toggle defragmentation of IP packets using PACKET_FANOUT_FLAG_DEFRAG.

AF_Packet::enable_fanout 

Type:: bool
Attributes:: &redef
Default:: T

Toggle whether to use PACKET_FANOUT.

AF_Packet::enable_hw_timestamping 

Type:: bool
Attributes:: &redef
Default:: F

Toggle whether to use hardware timestamps.

AF_Packet::fanout_id 

Type:: count
Attributes:: &redef
Default:: 23

Fanout ID.

AF_Packet::fanout_mode 

Type:: AF_Packet::FanoutMode
Attributes:: &redef
Default:: AF_Packet::FANOUT_HASH

Fanout mode.

AF_Packet::link_type 

Type:: count
Attributes:: &redef
Default:: 1

Link type (default Ethernet).

BinPAC::flowbuffer_capacity_max 

Type:: count
Attributes:: &redef
Default:: 10485760

Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.

BinPAC::flowbuffer_capacity_min 

Type:: count
Attributes:: &redef
Default:: 512

The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer. If the buffer is later contracted, its capacity is also reduced to this size.

BinPAC::flowbuffer_contract_threshold 

Type:: count
Attributes:: &redef
Default:: 2097152

The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to BinPAC::flowbuffer_capacity_min after parsing a full unit. I.e. this is the maximum capacity to reserve in between the parsing of units. If, after parsing a unit, the flowbuffer capacity is greater than this value, it will be contracted.

Cluster::backend 

Type:

Cluster::BackendTag

Attributes:

&redef

Default:

Cluster::CLUSTER_BACKEND_NONE

Redefinition:

from policy/frameworks/cluster/backend/broker/main.zeek

=:

``Cluster::CLUSTER_BACKEND_BROKER``

Redefinition:

from policy/frameworks/cluster/backend/zeromq/main.zeek

=:

``Cluster::CLUSTER_BACKEND_ZEROMQ``

Redefinition:

from test-all-policy.zeek

=:

``Cluster::CLUSTER_BACKEND_NONE``

Cluster backend to use. Default is the None backend.

Cluster::event_serializer 

Type:: Cluster::EventSerializerTag
Attributes:: &redef
Default:: Cluster::EVENT_SERIALIZER_BROKER_BIN_V1

The event serializer to use by the cluster backend.

This currently has no effect for backend BROKER.

Cluster::log_serializer 

Type:: Cluster::LogSerializerTag
Attributes:: &redef
Default:: Cluster::LOG_SERIALIZER_ZEEK_BIN_V1

The log serializer to use by the backend.

This currently has no effect for backend BROKER.

ConnKey::factory 

Type:

ConnKey::Tag

Attributes:

&redef

Default:

ConnKey::CONNKEY_FIVETUPLE

Redefinition:

from policy/frameworks/conn_key/vlan_fivetuple.zeek

=:

``ConnKey::CONNKEY_VLAN_FIVETUPLE``

The connection key factory to use for Zeek’s internal connection tracking. This is a ConnKey::Tag plugin component enum value, and the default is Zeek’s traditional 5-tuple-tracking based on IP/port endpoint pairs, plus transport protocol. Plugins can provide their own implementation. You’ll usually not adjust this value in isolation, but with a corresponding redef of the conn_id record to represent additional connection tuple members.

ConnThreshold::generic_packet_thresholds 

Type:: set [count]
Attributes:: &redef
Default:: {}

Number of packets required to be observed on any IP-based session to trigger conn_generic_packet_threshold_crossed. Note that the thresholds refers to the total number of packets transferred in both directions.

DCE_RPC::max_cmd_reassembly 

Type:: count
Attributes:: &redef
Default:: 20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data 

Type:: count
Attributes:: &redef
Default:: 30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

EventMetadata::add_missing_remote_network_timestamp 

Type:: bool
Attributes:: &redef
Default:: F

By default, remote events without network timestamp metadata will yield a negative zeek:see:current_event_time during processing. To have the receiving Zeek node set the event’s network timestamp metadata with its current local network time, set this option to true.

This setting is only in effect if EventMetadata::add_network_timestamp is also set to true.

EventMetadata::add_network_timestamp 

Type:: bool
Attributes:: &redef
Default:: F

Add network timestamp metadata to all events.

Adding network timestamp metadata affects local and remote events. Events scheduled have a network timestamp of when the scheduled timer was supposed to expire, which might be a value before the network_time() when the event was actually dispatched.

FTP::max_command_length 

Type:: count
Attributes:: &redef
Default:: 100

Limits the size of commands accepted by the FTP analyzer. Longer commands raise a FTP_max_command_length_exceeded weird and are discarded.

HTTP::upgrade_analyzers 

Type:

table [string] of Analyzer::Tag

Attributes:

&redef

Default:

{}

Redefinition:

from base/protocols/websocket/main.zeek

+=:

websocket = Analyzer::ANALYZER_WEBSOCKET

Lookup table for Upgrade analyzers. First, a case sensitive lookup is done using the client’s Upgrade header. If no match is found, the all lower-case value is used. If there’s still no match Zeek uses dynamic protocol detection for the upgraded to protocol instead.

IP::protocol_names 

Type:

table [count] of string

Attributes:

&redef &default = function

Default:

{
   [96] = "scc-sp",
   [73] = "cphb",
   [39] = "tp++",
   [46] = "rsvp",
   [28] = "irtp",
   [9] = "igp",
   [68] = "distributed-files",
   [107] = "a/n",
   [53] = "swipe",
   [71] = "ipcu",
   [127] = "crudp",
   [52] = "i-nlsp",
   [41] = "ipv6",
   [17] = "udp",
   [105] = "scps",
   [119] = "srp",
   [81] = "vmtp",
   [88] = "eigrp",
   [111] = "ipx-in-ip",
   [29] = "iso-tp4",
   [115] = "l2tp",
   [133] = "fc",
   [95] = "micp",
   [54] = "narp",
   [90] = "sprite-rpc",
   [146] = "homa",
   [86] = "dgp",
   [1] = "icmp",
   [116] = "ddx",
   [35] = "idpr",
   [102] = "pnni",
   [135] = "mobility-header",
   [3] = "ggp",
   [114] = "zero-hop",
   [140] = "shim6",
   [44] = "ipv6-frag",
   [129] = "iplt",
   [34] = "3pc",
   [45] = "idrp",
   [14] = "emcon",
   [31] = "mfe-nsp",
   [82] = "secure-vmtp",
   [56] = "tlsp",
   [7] = "cbt",
   [66] = "rvd",
   [26] = "leaf-2",
   [128] = "sccopmce",
   [47] = "gre",
   [70] = "visa",
   [93] = "ax.25",
   [2] = "igmp",
   [132] = "sctp",
   [72] = "cpnx",
   [24] = "trunk-2",
   [69] = "sat-on",
   [99] = "private-encryption",
   [109] = "snp",
   [103] = "pim",
   [126] = "crtp",
   [104] = "aris",
   [61] = "host-protocol",
   [60] = "ipv6-opts",
   [51] = "ah",
   [37] = "ddp",
   [18] = "mux",
   [0] = "hopopt",
   [110] = "compaq-peer",
   [137] = "mpls-in-ip",
   [94] = "os",
   [19] = "dcn-meas",
   [20] = "hmp",
   [33] = "dccp",
   [75] = "pvp",
   [67] = "ippc",
   [15] = "xnet",
   [30] = "netblt",
   [77] = "sun-and",
   [64] = "sat-expak",
   [106] = "qnx",
   [91] = "larp",
   [97] = "etherip",
   [55] = "mobile",
   [21] = "prm",
   [4] = "ip-in-ip",
   [12] = "pup",
   [124] = "is-is-over-ipv4",
   [130] = "sps",
   [58] = "ipv6-icmp",
   [134] = "rsvp-e2e-ignore",
   [80] = "iso-ip",
   [76] = "br-sat-mon",
   [25] = "leaf-1",
   [142] = "rohc",
   [16] = "chaos",
   [59] = "ipv6-nonxt",
   [38] = "idpr-cmtp",
   [63] = "local-network",
   [42] = "sdrp",
   [57] = "skip",
   [78] = "wb-mon",
   [98] = "encap",
   [11] = "nvp-ii",
   [113] = "pgm",
   [108] = "ipcomp",
   [22] = "xns-idp",
   [43] = "ipv6-route",
   [143] = "ethernet",
   [136] = "udplite",
   [144] = "aggfrag",
   [40] = "il",
   [36] = "xtp",
   [6] = "tcp",
   [125] = "fire",
   [141] = "wesp",
   [8] = "egp",
   [23] = "trunk-1",
   [27] = "rdp",
   [145] = "nsh",
   [83] = "vines",
   [122] = "sm",
   [92] = "mtp",
   [10] = "bbc-rcc-mon",
   [65] = "kryptolan",
   [13] = "argus",
   [32] = "merit-inp",
   [74] = "wsn",
   [62] = "cftp",
   [101] = "ifmp",
   [89] = "ospf",
   [118] = "stp",
   [138] = "manet",
   [139] = "hip",
   [50] = "esp",
   [120] = "uti",
   [79] = "wb-expak",
   [121] = "smp",
   [48] = "dsr",
   [85] = "nsfnet-igp",
   [49] = "bna",
   [5] = "st",
   [112] = "vrrp",
   [100] = "gtmp",
   [117] = "iatp",
   [123] = "ptp",
   [131] = "pipe",
   [87] = "tcf",
   [84] = "ttp or iptm"
}

Mapping from IP protocol identifier values to string names.

KRB::keytab 

Type:: string
Attributes:: &redef
Default:: ""

Kerberos keytab file name. Used to decrypt tickets encountered on the wire.

Log::default_max_field_container_elements 

Type:: count
Attributes:: &redef
Default:: 100

The maximum number of elements a single container field can contain when logging. If a container reaches this limit, the log output for the field will be truncated. Setting this to zero disables the limiting.

Log::default_max_field_string_bytes 

Type:: count
Attributes:: &redef
Default:: 4096

The maximum number of bytes that a single string field can contain when logging. If a string reaches this limit, the log output for the field will be truncated. Setting this to zero disables the limiting.

Log::default_max_total_container_elements 

Type:: count
Attributes:: &redef
Default:: 500

The maximum total number of container elements a record may log. This is the sum of all container elements logged for the record. If this limit is reached, all further containers will be logged as empty containers. If the limit is reached while processing a container, the container will be truncated in the output. Setting this to zero disables the limiting.

Log::default_max_total_string_bytes 

Type:: count
Attributes:: &redef
Default:: 256000

The maximum total bytes a record may log for string fields. This is the sum of all bytes in string fields logged for the record. If this limit is reached, all further string fields will be logged as empty strings. Any containers holding string fields will be logged as empty containers. If the limit is reached while processing a container holding string fields, the container will be truncated in the log output. Setting this to zero disables the limiting.

Log::flush_interval 

Type:: interval
Attributes:: &redef
Default:: 1.0 sec

Default interval for flushing the write buffers of all enabled log streams.

In earlier Zeek releases this was governed by Threading::heartbeat_interval. For Broker, see also Broker::log_batch_interval.

Log::max_log_record_size 

Type:: count
Attributes:: &redef
Default:: 67108864

Maximum size of a message that can be sent to a remote logger or logged locally. If this limit is met, report a log_line_too_large weird and drop the log entry. This isn’t necessarily the full size of a line that might be written to a log, but a general representation of the size as the log record is serialized for writing. The size of end result from serialization might be higher than this limit, but it prevents runaway-sized log entries from causing problems.

Log::write_buffer_size 

Type:: count
Attributes:: &redef
Default:: 1000

Default maximum size of the log write buffer per filter/path pair. If this many log writes are buffered, the writer frontend flushes its writes to its backend before flush_interval expires.

In earlier Zeek releases this was hard-coded to 1000.

MIME::max_depth 

Type:: count
Attributes:: &redef
Default:: 100

Stop analysis of nested multipart MIME entities if this depth is reached. Setting this value to 0 removes the limit.

NCP::max_frame_size 

Type:: count
Attributes:: &redef
Default:: 65536

The maximum number of bytes to allocate when parsing NCP frames.

NFS3::return_data 

Type:: bool
Attributes:: &redef
Default:: F

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

NFS3::return_data_first_only 

Type:: bool
Attributes:: &redef
Default:: T

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max 

Type:: count
Attributes:: &redef
Default:: 512

If NFS3::return_data is true, how much data should be returned at most.

POP3::max_pending_commands 

Type:: count
Attributes:: &redef
Default:: 10

How many commands a POP3 client may have pending before Zeek forcefully removes the oldest.

Setting this value to 0 removes the limit.

POP3::max_unknown_client_commands 

Type:: count
Attributes:: &redef
Default:: 10

How many invalid commands a POP3 client may use before Zeek starts raising analyzer violations.

Setting this value to 0 removes the limit.

Pcap::bufsize 

Type:: count
Attributes:: &redef
Default:: 128

Number of Mbytes to provide as buffer space when capturing from live interfaces.

Pcap::bufsize_offline_bytes 

Type:: count
Attributes:: &redef
Default:: 131072

Number of bytes to use for buffering file read operations when reading from a PCAP file. Setting this to 0 uses operating system defaults as chosen by fopen().

Pcap::non_fd_timeout 

Type:: interval
Attributes:: &redef
Default:: 20.0 usecs

Default timeout for packet sources without file descriptors.

For libpcap based packet sources that do not provide a usable file descriptor for select(), the timeout provided to the IO loop is either zero if a packet was most recently available or else this value.

Depending on the expected packet rate per-worker and the amount of available packet buffer, raising this value can significantly reduce Zeek’s CPU usage at the cost of a small delay before processing packets. Setting this value too high may cause packet drops due to running out of available buffer space.

Increasing this value to 200usec on low-traffic Myricom based systems (5 kpps per Zeek worker) has shown a 50% reduction in CPU usage.

This is an advanced setting. Do monitor dropped packets and capture loss information when changing it.

Note

Packet sources that override GetNextTimeout() method may not respect this value.

Constants

CONTENTS_BOTH 

Type:: count
Default:: 3

Record both originator and responder contents.

CONTENTS_NONE 

Type:: count
Default:: 0

Turn off recording of contents.

CONTENTS_ORIG 

Type:: count
Default:: 1

Record originator contents.

CONTENTS_RESP 

Type:: count
Default:: 2

Record responder contents.

DNS_ADDL 

Type:: count
Default:: 3

An additional record.

DNS_ANS 

Type:: count
Default:: 1

An answer record.

DNS_AUTH 

Type:: count
Default:: 2

An authoritative record.

DNS_PREREQUISITE 

Type:: count
Default:: 4

A prerequisite record for dynamic update.

DNS_QUERY 

Type:: count
Default:: 0

A query. This shouldn’t occur, just for completeness.

DNS_UPDATE 

Type:: count
Default:: 5

A update record for dynamic update.

ENDIAN_BIG 

Type:: count
Default:: 2

Big endian.

ENDIAN_CONFUSED 

Type:: count
Default:: 3

Tried to determine endian, but failed.

ENDIAN_LITTLE 

Type:: count
Default:: 1

Little endian.

ENDIAN_UNKNOWN 

Type:: count
Default:: 0

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB 

Type:: count
Default:: 13

Administratively prohibited.

ICMP_UNREACH_HOST 

Type:: count
Default:: 1

Host unreachable.

ICMP_UNREACH_NEEDFRAG 

Type:: count
Default:: 4

Fragment needed.

ICMP_UNREACH_NET 

Type:: count
Default:: 0

Network unreachable.

ICMP_UNREACH_PORT 

Type:: count
Default:: 3

Port unreachable.

ICMP_UNREACH_PROTOCOL 

Type:: count
Default:: 2

Protocol unreachable.

IPPROTO_AH 

Type:: count
Default:: 51

IPv6 authentication header.

IPPROTO_DSTOPTS 

Type:: count
Default:: 60

IPv6 destination options header.

IPPROTO_ESP 

Type:: count
Default:: 50

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT 

Type:: count
Default:: 44

IPv6 fragment header.

IPPROTO_HOPOPTS 

Type:: count
Default:: 0

IPv6 hop-by-hop-options header.

IPPROTO_ICMP 

Type:: count
Default:: 1

Control message protocol.

IPPROTO_ICMPV6 

Type:: count
Default:: 58

ICMP for IPv6.

IPPROTO_IGMP 

Type:: count
Default:: 2

Group management protocol.

IPPROTO_IP 

Type:: count
Default:: 0

Dummy for IP.

IPPROTO_IPIP 

Type:: count
Default:: 4

IP encapsulation in IP.

IPPROTO_IPV6 

Type:: count
Default:: 41

IPv6 header.

IPPROTO_MOBILITY 

Type:: count
Default:: 135

IPv6 mobility header.

IPPROTO_NONE 

Type:: count
Default:: 59

IPv6 no next header.

IPPROTO_RAW 

Type:: count
Default:: 255

Raw IP packet.

IPPROTO_ROUTING 

Type:: count
Default:: 43

IPv6 routing header.

IPPROTO_TCP 

Type:: count
Default:: 6

TCP.

IPPROTO_UDP 

Type:: count
Default:: 17

User datagram protocol.

LOGIN_STATE_AUTHENTICATE 

Type:: count
Default:: 0

LOGIN_STATE_CONFUSED 

Type:: count
Default:: 3

LOGIN_STATE_LOGGED_IN 

Type:: count
Default:: 1

LOGIN_STATE_SKIP 

Type:: count
Default:: 2

RPC_status 

Type:

table [rpc_status] of string

Default:

{
   [RPC_PROG_MISMATCH] = "mismatch",
   [RPC_AUTH_ERROR] = "auth error",
   [RPC_SYSTEM_ERR] = "system err",
   [RPC_PROC_UNAVAIL] = "proc unavail",
   [RPC_SUCCESS] = "ok",
   [RPC_UNKNOWN_ERROR] = "unknown",
   [RPC_TIMEOUT] = "timeout",
   [RPC_GARBAGE_ARGS] = "garbage args",
   [RPC_PROG_UNAVAIL] = "prog unavail"
}

Mapping of numerical RPC status codes to readable messages.

SNMP::OBJ_COUNTER32_TAG 

Type:: count
Default:: 65

Unsigned 32-bit integer.

SNMP::OBJ_COUNTER64_TAG 

Type:: count
Default:: 70

Unsigned 64-bit integer.

SNMP::OBJ_ENDOFMIBVIEW_TAG 

Type:: count
Default:: 130

A NULL value.

SNMP::OBJ_INTEGER_TAG 

Type:: count
Default:: 2

Signed 64-bit integer.

SNMP::OBJ_IPADDRESS_TAG 

Type:: count
Default:: 64

An IP address.

SNMP::OBJ_NOSUCHINSTANCE_TAG 

Type:: count
Default:: 129

A NULL value.

SNMP::OBJ_NOSUCHOBJECT_TAG 

Type:: count
Default:: 128

A NULL value.

SNMP::OBJ_OCTETSTRING_TAG 

Type:: count
Default:: 4

An octet string.

SNMP::OBJ_OID_TAG 

Type:: count
Default:: 6

An Object Identifier.

SNMP::OBJ_OPAQUE_TAG 

Type:: count
Default:: 68

An octet string.

SNMP::OBJ_TIMETICKS_TAG 

Type:: count
Default:: 67

Unsigned 32-bit integer.

SNMP::OBJ_UNSIGNED32_TAG 

Type:: count
Default:: 66

Unsigned 32-bit integer.

SNMP::OBJ_UNSPECIFIED_TAG 

Type:: count
Default:: 5

A NULL value.

TCP_CLOSED 

Type:: count
Default:: 5

Endpoint has closed connection.

TCP_ESTABLISHED 

Type:: count
Default:: 4

Endpoint has finished initial handshake regularly.

TCP_INACTIVE 

Type:: count
Default:: 0

Error string if unsuccessful. Endpoint is still inactive.

TCP_PARTIAL 

Type:: count
Default:: 3

Endpoint has sent data but no initial SYN.

TCP_RESET 

Type:: count
Default:: 6

Endpoint has sent RST.

TCP_SYN_ACK_SENT 

Type:: count
Default:: 2

Endpoint has sent SYN/ACK.

TCP_SYN_SENT 

Type:: count
Default:: 1

Endpoint has sent SYN.

TH_ACK 

Type:: count
Default:: 16

ACK.

TH_FIN 

Type:: count
Default:: 1

FIN.

TH_FLAGS 

Type:: count
Default:: 63

Mask combining all flags.

TH_PUSH 

Type:: count
Default:: 8

PUSH.

TH_RST 

Type:: count
Default:: 4

RST.

TH_SYN 

Type:: count
Default:: 2

SYN.

TH_URG 

Type:: count
Default:: 32

URG.

UDP_ACTIVE 

Type:: count
Default:: 1

Endpoint has sent something.

UDP_INACTIVE 

Type:: count
Default:: 0

Endpoint is still inactive.

trace_output_file 

Type:: string
Default:: ""

Holds the filename of the trace file given with -w (empty if none).

State Variables

capture_filters 

Type:: table [string] of string
Attributes:: &redef
Default:: {}

Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). If Zeek is not configured with PacketFilter::enable_auto_protocol_capture_filters, all packets matching at least one of the filters in this table (and all in restrict_filters) will be analyzed.

direct_login_prompts 

Type:: set [string]
Attributes:: &redef
Default:: {}

TODO.

discarder_maxlen 

Type:: count
Attributes:: &redef
Default:: 128

Maximum length of payload passed to discarder functions.

dns_max_queries 

Type:: count
Attributes:: &redef
Default:: 25

If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. Set to 0 to turn off this functionality.

dns_skip_addl 

Type:: set [addr]
Attributes:: &redef
Default:: {}

For DNS servers in these sets, omit processing the ADDL records they include in their replies.

dns_skip_all_addl 

Type:

bool

Attributes:

&redef

Default:

T

Redefinition:

from policy/protocols/dns/auth-addl.zeek

=:

``F``

If true, all DNS ADDL records are skipped.

dns_skip_all_auth 

Type:

bool

Attributes:

&redef

Default:

T

Redefinition:

from policy/protocols/dns/auth-addl.zeek

=:

``F``

If true, all DNS AUTH records are skipped.

dns_skip_auth 

Type:: set [addr]
Attributes:: &redef
Default:: {}

For DNS servers in these sets, omit processing the AUTH records they include in their replies.

done_with_network 

Type:: bool
Default:: F

http_entity_data_delivery_size 

Type:: count
Attributes:: &redef
Default:: 1500

Maximum number of HTTP entity data delivered to events.

interfaces 

Type:: string
Attributes:: &add_func = add_interface &redef
Default:: ""

Network interfaces to listen on. Use redef interfaces += "eth0" to extend.

login_failure_msgs 

Type:: set [string]
Attributes:: &redef
Default:: {}

TODO.

login_non_failure_msgs 

Type:: set [string]
Attributes:: &redef
Default:: {}

TODO.

login_prompts 

Type:: set [string]
Attributes:: &redef
Default:: {}

TODO.

login_success_msgs 

Type:: set [string]
Attributes:: &redef
Default:: {}

TODO.

login_timeouts 

Type:: set [string]
Attributes:: &redef
Default:: {}

TODO.

mime_segment_length 

Type:: count
Attributes:: &redef
Default:: 1024

The length of MIME data segments delivered to handlers of mime_segment_data.

mime_segment_overlap_length 

Type:: count
Attributes:: &redef
Default:: 0

The number of bytes of overlap between successive segments passed to mime_segment_data.

pkt_profile_file 

Type:: file
Attributes:: &redef

File where packet profiles are logged.

profiling_file 

Type:

file

Attributes:

&redef

Default:

file "prof.log" of string

Redefinition:

from policy/misc/profiling.zeek

=:

open(fmt(prof.%s, Profiling::log_suffix()))

Write profiling info into this file in regular intervals. The easiest way to activate profiling is loading policy/misc/profiling.zeek.

restrict_filters 

Type:: table [string] of string
Attributes:: &redef
Default:: {}

Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).

secondary_filters 

Type:: table [string] of event (filter: string, pkt: pkt_hdr)
Attributes:: &redef
Default:: {}

Definition of “secondary filters”. A secondary filter is a BPF filter given as index in this table. For each such filter, the corresponding event is raised for all matching packets.

signature_files 

Type:: string
Attributes:: &add_func = add_signature_file &redef
Default:: ""

Signature files to read. Use redef signature_files += "foo.sig" to extend. Signature files added this way will be searched relative to ZEEKPATH. Using the @load-sigs directive instead is preferred since that can search paths relative to the current script.

skip_authentication 

Type:: set [string]
Attributes:: &redef
Default:: {}

TODO.

Types

Analyzer::disabling_analyzer 

Type:: hook (c: connection, atype: AllAnalyzers::Tag, aid: count) : bool
Attributes:: &redef

A hook taking a connection, analyzer tag and analyzer id that can be used to veto disabling protocol analyzers. Specifically, an analyzer can be prevented from being disabled by using a break statement within the hook. This hook is invoked synchronously during a disable_analyzer call.

Scripts implementing this hook should have other logic that will eventually disable the analyzer for the given connection. That is, if a script vetoes disabling an analyzer, it takes responsibility for a later call to disable_analyzer, which may be never.

Param c:: The connection
Param atype:: The type / tag of the analyzer being disabled.
Param aid:: The analyzer ID.

AnalyzerConfirmationInfo 

Type:

record

Fields:

c: connection &optional: The connection related to this confirmation, if any. This field may be set if there’s any connection related information available for this confirmation. For protocol analyzers it is guaranteed to be set, but may also be added by file analyzers as additional contextual information.

f: fa_file &optional: The file object related to this confirmation, if any.

aid: count &optional: Specific analyzer instance that can be used to reference the analyzer when using builtin functions like disable_analyzer.

Generic analyzer confirmation info record.

See also: dhcp_message

DHCP::ClientFQDN 

Type:

record

Fields:

flags: count: An unparsed bitfield of flags (refer to RFC 4702).

rcode1: count: This field is deprecated in the standard.

rcode2: count: This field is deprecated in the standard.

domain_name: string: The Domain Name part of the option carries all or part of the FQDN of a DHCP client.

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID 

Type:

record

Fields:

hwtype: count

hwaddr: string

DHCP Client Identifier (Option 61)

See also: dhcp_message

DHCP::Msg 

Type:

record

Fields:

op: count: Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY

m_type: count: The type of DHCP message.

xid: count: Transaction ID of a DHCP session.

secs: interval: Number of seconds since client began address acquisition or renewal process

flags: count

ciaddr: addr: Original IP address of the client.

yiaddr: addr: IP address assigned to the client.

siaddr: addr: IP address of the server.

giaddr: addr: IP address of the relaying gateway.

chaddr: string: Client hardware address.

sname: string &default = "" &optional: Server host name.

file_n: string &default = "" &optional: Boot file name.

A DHCP message.

See also: dhcp_message

DHCP::Options 

Type:

record

Fields:

options: index_vec &optional: The ordered list of all DHCP option numbers.

subnet_mask: addr &optional: Subnet Mask Value (option 1)

routers: DHCP::Addrs &optional: Router addresses (option 3)

dns_servers: DHCP::Addrs &optional: DNS Server addresses (option 6)

host_name: string &optional: The Hostname of the client (option 12)

domain_name: string &optional: The DNS domain name of the client (option 15)

forwarding: bool &optional: Enable/Disable IP Forwarding (option 19)

broadcast: addr &optional: Broadcast Address (option 28)

vendor: string &optional: Vendor specific data. This can frequently be unparsed binary data. (option 43)

nbns: DHCP::Addrs &optional: NETBIOS name server list (option 44)

addr_request: addr &optional: Address requested by the client (option 50)

lease: interval &optional: Lease time offered by the server. (option 51)

serv_addr: addr &optional: Server address to allow clients to distinguish between lease offers. (option 54)

param_list: index_vec &optional: DHCP Parameter Request list (option 55)

message: string &optional: Textual error message (option 56)

max_msg_size: count &optional: Maximum Message Size (option 57)

renewal_time: interval &optional: This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)

rebinding_time: interval &optional: This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)

vendor_class: string &optional: This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)

client_id: DHCP::ClientID &optional: DHCP Client Identifier (Option 61)

user_class: string &optional: User Class opaque value (Option 77)

client_fqdn: DHCP::ClientFQDN &optional: DHCP Client FQDN (Option 81)

sub_opt: DHCP::SubOpts &optional: DHCP Relay Agent Information Option (Option 82)

auto_config: bool &optional: Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)

auto_proxy_config: string &optional: URL to find a proxy.pac for auto proxy config (Option 252)

time_offset: int &optional: The offset of the client’s subnet in seconds from UTC. (Option 2)

time_servers: DHCP::Addrs &optional: A list of RFC 868 time servers available to the client. (Option 4)

name_servers: DHCP::Addrs &optional: A list of IEN 116 name servers available to the client. (Option 5)

ntp_servers: DHCP::Addrs &optional: A list of IP addresses indicating NTP servers available to the client. (Option 42)

DHCP::SubOpt 

Type:

record

Fields:

code: count

value: string

DHCP Relay Agent Information Option (Option 82)

See also: dhcp_message

DHCP::SubOpts 

Type:: vector of DHCP::SubOpt

DNSStats 

Type:

record

Fields:

requests: count: Number of DNS requests made

successful: count: Number of successful DNS replies.

failed: count: Number of DNS reply failures.

pending: count: Current pending queries.

cached_hosts: count: Number of cached hosts.

cached_addresses: count: Number of cached addresses.

cached_texts: count: Number of cached text entries.

cached_total: count: Total number of cached entries.

Statistics related to Zeek’s active use of DNS. These numbers are about Zeek performing DNS queries on it’s own, not traffic being seen.

Hooks

Telemetry::sync 

Type:: hook () : bool

Telemetry sync hook.

This hook is invoked when metrics are requested via functions Telemetry::collect_metrics and Telemetry::collect_histogram_metrics, or just before Zeek collects metrics when being scraped through its Prometheus endpoint. Script writers can use it to synchronize (or mirror) metrics with the telemetry subsystem. For example, when tracking table or value footprints with gauges, the value in question can be set on an actual Telemetry::Gauge instance during execution of this hook.

Implementations should be lightweight, this hook may be called multiple times per minute.

Functions

add_interface 

Type:: function (iold: string, inew: string) : string

Internal function.

add_signature_file 

Type:: function (sold: string, snew: string) : string

Internal function.

discarder_check_icmp 

Type:: function (p: pkt_hdr) : bool

Function for skipping packets based on their ICMP header. If defined, this function will be called for all ICMP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

Parameters:: p – The IP and ICMP headers of the considered packet.
Returns:: True if the packet should not be analyzed any further.

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_ip 

Type:: function (p: pkt_hdr) : bool

Function for skipping packets based on their IP header. If defined, this function will be called for all IP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

Parameters:: p – The IP header of the considered packet.
Returns:: True if the packet should not be analyzed any further.

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_tcp 

Type:: function (p: pkt_hdr, d: string) : bool

Function for skipping packets based on their TCP header. If defined, this function will be called for all TCP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

Parameters:

p – The IP and TCP headers of the considered packet.
d – Up to discarder_maxlen bytes of the TCP payload.

Returns:

True if the packet should not be analyzed any further.

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_udp 

Type:: function (p: pkt_hdr, d: string) : bool

Function for skipping packets based on their UDP header. If defined, this function will be called for all UDP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

Parameters:

p – The IP and UDP headers of the considered packet.
d – Up to discarder_maxlen bytes of the UDP payload.

Returns:

True if the packet should not be analyzed any further.

Note

This is very low-level functionality and potentially expensive. Avoid using it.

from_json_default_key_mapper 

Type:: function (s: string) : string

The default JSON key mapper function. Identity function.

max_count 

Type:: function (a: count, b: count) : count

Returns maximum of two count values.

Parameters:

a – First value.
b – Second value.

Returns:

The maximum of a and b.

max_double 

Type:: function (a: double, b: double) : double

Returns maximum of two double values.

Parameters:

a – First value.
b – Second value.

Returns:

The maximum of a and b.

max_interval 

Type:: function (a: interval, b: interval) : interval

Returns maximum of two interval values.

Parameters:

a – First value.
b – Second value.

Returns:

The maximum of a and b.

min_count 

Type:: function (a: count, b: count) : count

Returns minimum of two count values.

Parameters:

a – First value.
b – Second value.

Returns:

The minimum of a and b.

min_double 

Type:: function (a: double, b: double) : double

Returns minimum of two double values.

Parameters:

a – First value.
b – Second value.

Returns:

The minimum of a and b.

min_interval 

Type:: function (a: interval, b: interval) : interval

Returns minimum of two interval values.

Parameters:

a – First value.
b – Second value.

Returns:

The minimum of a and b.