:tocdepth: 3 base/protocols/quic/spicy-events.zeek ===================================== Events generated by the QUIC analyzer. See :rfc:`9000`. Summary ~~~~~~~ Events ###### ========================================================================== ======================================================================= :zeek:id:`QUIC::connection_close_frame`: :zeek:type:`event` Generated for a QUIC CONNECTION_CLOSE frame. :zeek:id:`QUIC::discarded_packet`: :zeek:type:`event` Generated when a QUIC packet with fixed_bit 0 is encountered. :zeek:id:`QUIC::handshake_packet`: :zeek:type:`event` Generated for a QUIC Handshake packet. :zeek:id:`QUIC::initial_packet`: :zeek:type:`event` Generated for a QUIC Initial packet. :zeek:id:`QUIC::retry_packet`: :zeek:type:`event` Generated for a QUIC Retry packet. :zeek:id:`QUIC::short_header_packet_threshold_crossed`: :zeek:type:`event` Generated when a binary logarithmic number of QUIC packets with a short header has been observed. :zeek:id:`QUIC::unhandled_version`: :zeek:type:`event` Generated for an unrecognized QUIC version. :zeek:id:`QUIC::zero_rtt_packet`: :zeek:type:`event` Generated for a QUIC 0-RTT packet. ========================================================================== ======================================================================= Detailed Interface ~~~~~~~~~~~~~~~~~~ Events ###### .. zeek:id:: QUIC::connection_close_frame :source-code: base/protocols/quic/main.zeek 229 239 :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, error_code: :zeek:type:`count`, reason_phrase: :zeek:type:`string`) Generated for a QUIC CONNECTION_CLOSE frame. :param c: The connection. :param is_orig: True if the packet is from the the connection's originator. :param version: The Version field. :param dcid: The Destination Connection ID field. :param scid: The Source Connection ID field. :param error_code: Count indicating the reason for closing this connection. :param reason_phrase: Additional diagnostic information for the closure. .. note:: Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek. .. zeek:id:: QUIC::discarded_packet :source-code: base/protocols/quic/main.zeek 202 212 :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, total_decrypted: :zeek:type:`count`) Generated when a QUIC packet with fixed_bit 0 is encountered. This event is only generated if some INITIAL QUIC packets were successfully decrypted previously. :param c: The connection. :param is_orig: True if the packet is from the the connection's originator. :param total_decrypted: The number of QUIC packets successfully decrypted previously. .. zeek:id:: QUIC::handshake_packet :source-code: base/protocols/quic/main.zeek 163 167 :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`) Generated for a QUIC Handshake packet. :param c: The connection. :param is_orig: True if the packet is from the the connection's originator. :param version: The Version field. :param dcid: The Destination Connection ID field. :param scid: The Source Connection ID field. .. zeek:id:: QUIC::initial_packet :source-code: base/protocols/quic/main.zeek 157 161 :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`) Generated for a QUIC Initial packet. :param c: The connection. :param is_orig: True if the packet is from the the connection's originator. :param version: The Version field. :param dcid: The Destination Connection ID field. :param scid: The Source Connection ID field. .. zeek:id:: QUIC::retry_packet :source-code: base/protocols/quic/main.zeek 176 186 :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, retry_token: :zeek:type:`string`, retry_integrity_tag: :zeek:type:`string`) Generated for a QUIC Retry packet. :param c: The connection. :param is_orig: True if the packet is from the the connection's originator. :param version: The Version field. :param dcid: The Destination Connection ID field. :param scid: The Source Connection ID field. :param retry_token: The Retry Token field. :param integrity_tag: The Retry Integrity Tag field. .. zeek:id:: QUIC::short_header_packet_threshold_crossed :source-code: base/protocols/quic/main.zeek 188 200 :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`) Generated when a binary logarithmic number of QUIC packets with a short header has been observed. :param c: The connection. :param is_orig: True if the threshold is for connection's originator, otherwise false. :param threshold: The threshold that has been reached. .. zeek:id:: QUIC::unhandled_version :source-code: base/protocols/quic/main.zeek 215 225 :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`) Generated for an unrecognized QUIC version. :param c: The connection. :param is_orig: True if the packet is from the the connection's originator. :param version: The Version field. :param dcid: The Destination Connection ID field. :param scid: The Source Connection ID field. .. zeek:id:: QUIC::zero_rtt_packet :source-code: base/protocols/quic/main.zeek 169 173 :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`) Generated for a QUIC 0-RTT packet. :param c: The connection. :param is_orig: True if the packet is from the the connection's originator. :param version: The Version field. :param dcid: The Destination Connection ID field. :param scid: The Source Connection ID field.