base/protocols/quic/spicy-events.zeek
Events generated by the QUIC analyzer.
See RFC 9000.
Summary
Events
Generated for a QUIC CONNECTION_CLOSE frame. |
|
Generated when a QUIC packet with fixed_bit 0 is encountered. |
|
Generated for a QUIC Handshake packet. |
|
Generated for a QUIC Initial packet. |
|
Generated for a QUIC Retry packet. |
|
Generated when a binary logarithmic number of QUIC packets with a short header has been observed. |
|
Generated for an unrecognized QUIC version. |
|
Generated for a QUIC 0-RTT packet. |
Detailed Interface
Events
- QUIC::connection_close_frame
- Type:
event(c:connection, is_orig:bool, version:count, dcid:string, scid:string, error_code:count, reason_phrase:string)
Generated for a QUIC CONNECTION_CLOSE frame.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
error_code – Count indicating the reason for closing this connection.
reason_phrase – Additional diagnostic information for the closure.
Note
Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.
- QUIC::discarded_packet
- Type:
event(c:connection, is_orig:bool, total_decrypted:count)
Generated when a QUIC packet with fixed_bit 0 is encountered.
This event is only generated if some INITIAL QUIC packets were successfully decrypted previously.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
total_decrypted – The number of QUIC packets successfully decrypted previously.
- QUIC::handshake_packet
-
Generated for a QUIC Handshake packet.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
- QUIC::initial_packet
-
Generated for a QUIC Initial packet.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
- QUIC::retry_packet
- Type:
event(c:connection, is_orig:bool, version:count, dcid:string, scid:string, retry_token:string, retry_integrity_tag:string)
Generated for a QUIC Retry packet.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
retry_token – The Retry Token field.
integrity_tag – The Retry Integrity Tag field.
- QUIC::short_header_packet_threshold_crossed
- Type:
event(c:connection, is_orig:bool, threshold:count)
Generated when a binary logarithmic number of QUIC packets with a short header has been observed.
- Parameters:
c – The connection.
is_orig – True if the threshold is for connection’s originator, otherwise false.
threshold – The threshold that has been reached.
- QUIC::unhandled_version
-
Generated for an unrecognized QUIC version.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
- QUIC::zero_rtt_packet
-
Generated for a QUIC 0-RTT packet.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.