Packet Analyzers¶
-
PacketAnalyzer::Tag
¶ - Type
-
-
PacketAnalyzer::ANALYZER_ARP
¶
-
PacketAnalyzer::ANALYZER_AYIYA
¶
-
PacketAnalyzer::ANALYZER_ETHERNET
¶
-
PacketAnalyzer::ANALYZER_FDDI
¶
-
PacketAnalyzer::ANALYZER_GENEVE
¶
-
PacketAnalyzer::ANALYZER_GRE
¶
-
PacketAnalyzer::ANALYZER_GTPV1
¶
-
PacketAnalyzer::ANALYZER_ICMP
¶
-
PacketAnalyzer::ANALYZER_IEEE802_11
¶
-
PacketAnalyzer::ANALYZER_IEEE802_11_RADIO
¶
-
PacketAnalyzer::ANALYZER_IP
¶
-
PacketAnalyzer::ANALYZER_IPTUNNEL
¶
-
PacketAnalyzer::ANALYZER_LINUXSLL
¶
-
PacketAnalyzer::ANALYZER_MPLS
¶
-
PacketAnalyzer::ANALYZER_NFLOG
¶
-
PacketAnalyzer::ANALYZER_NULL
¶
-
PacketAnalyzer::ANALYZER_PPPOE
¶
-
PacketAnalyzer::ANALYZER_PPPSERIAL
¶
-
PacketAnalyzer::ANALYZER_ROOT
¶
-
PacketAnalyzer::ANALYZER_SKIP
¶
-
PacketAnalyzer::ANALYZER_TCP
¶
-
PacketAnalyzer::ANALYZER_TEREDO
¶
-
PacketAnalyzer::ANALYZER_UDP
¶
-
PacketAnalyzer::ANALYZER_VLAN
¶
-
PacketAnalyzer::ANALYZER_VNTAG
¶
-
PacketAnalyzer::ANALYZER_VXLAN
¶
-
Zeek::ARP¶
ARP packet analyzer
Components¶
Events¶
-
arp_request
¶ -
Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
- Mac_src
The request’s source MAC address.
- Mac_dst
The request’s destination MAC address.
- SPA
The sender protocol address.
- SHA
The sender hardware address.
- TPA
The target protocol address.
- THA
The target hardware address.
-
arp_reply
¶ -
Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
- Mac_src
The reply’s source MAC address.
- Mac_dst
The reply’s destination MAC address.
- SPA
The sender protocol address.
- SHA
The sender hardware address.
- TPA
The target protocol address.
- THA
The target hardware address.
See also:
arp_request
,bad_arp
-
bad_arp
¶ -
Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
- SPA
The sender protocol address.
- SHA
The sender hardware address.
- TPA
The target protocol address.
- THA
The target hardware address.
- Explanation
A short description of why the ARP packet is considered “bad”.
See also:
arp_reply
,arp_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::Geneve¶
Geneve packet analyzer
Components¶
Events¶
-
geneve_packet
¶ - Type
event
(outer:connection
, inner:pkt_hdr
, vni:count
)
Generated for any packet encapsulated in a Geneve tunnel. See RFC 8926 for more information about the Geneve protocol.
- Outer
The Geneve tunnel connection.
- Inner
The Geneve-encapsulated Ethernet packet header and transport header.
- Vni
Geneve Network Identifier.
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
Zeek::GTPv1¶
GTPv1 analyzer
Components¶
Events¶
-
gtpv1_message
¶ - Type
event
(c:connection
, hdr:gtpv1_hdr
)
Generated for any GTP message with a GTPv1 header.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
-
gtpv1_g_pdu_packet
¶ - Type
event
(outer:connection
, inner_gtp:gtpv1_hdr
, inner_ip:pkt_hdr
)
Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.
- Outer
The GTP outer tunnel connection.
- Inner_gtp
The GTP header.
- Inner_ip
The inner IP and transport layer packet headers.
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
-
gtpv1_create_pdp_ctx_request
¶ - Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_create_pdp_ctx_request_elements
)
Generated for GTPv1-C Create PDP Context Request messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
-
gtpv1_create_pdp_ctx_response
¶ - Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_create_pdp_ctx_response_elements
)
Generated for GTPv1-C Create PDP Context Response messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
-
gtpv1_update_pdp_ctx_request
¶ - Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_update_pdp_ctx_request_elements
)
Generated for GTPv1-C Update PDP Context Request messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
-
gtpv1_update_pdp_ctx_response
¶ - Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_update_pdp_ctx_response_elements
)
Generated for GTPv1-C Update PDP Context Response messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
-
gtpv1_delete_pdp_ctx_request
¶ - Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_delete_pdp_ctx_request_elements
)
Generated for GTPv1-C Delete PDP Context Request messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
-
gtpv1_delete_pdp_ctx_response
¶ - Type
event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_delete_pdp_ctx_response_elements
)
Generated for GTPv1-C Delete PDP Context Response messages.
- C
The connection over which the message is sent.
- Hdr
The GTPv1 header.
- Elements
The set of Information Elements comprising the message.
Zeek::Teredo¶
Teredo packet analyzer
Components¶
Events¶
-
teredo_packet
¶ - Type
event
(outer:connection
, inner:teredo_hdr
)
Generated for any IPv6 packet encapsulated in a Teredo tunnel. See RFC 4380 for more information about the Teredo protocol.
- Outer
The Teredo tunnel connection.
- Inner
The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_authentication
,teredo_origin_indication
,teredo_bubble
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
-
teredo_authentication
¶ - Type
event
(outer:connection
, inner:teredo_hdr
)
Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo authentication encapsulation method. See RFC 4380 for more information about the Teredo protocol.
- Outer
The Teredo tunnel connection.
- Inner
The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_packet
,teredo_origin_indication
,teredo_bubble
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
-
teredo_origin_indication
¶ - Type
event
(outer:connection
, inner:teredo_hdr
)
Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo origin indication encapsulation method. See RFC 4380 for more information about the Teredo protocol.
- Outer
The Teredo tunnel connection.
- Inner
The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_packet
,teredo_authentication
,teredo_bubble
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
-
teredo_bubble
¶ - Type
event
(outer:connection
, inner:teredo_hdr
)
Generated for Teredo bubble packets. That is, IPv6 packets encapsulated in a Teredo tunnel that have a Next Header value of
IPPROTO_NONE
. See RFC 4380 for more information about the Teredo protocol.- Outer
The Teredo tunnel connection.
- Inner
The Teredo-encapsulated IPv6 packet header and transport header.
See also:
teredo_packet
,teredo_authentication
,teredo_origin_indication
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
Zeek::VXLAN¶
VXLAN packet analyzer
Components¶
Events¶
-
vxlan_packet
¶ - Type
event
(outer:connection
, inner:pkt_hdr
, vni:count
)
Generated for any packet encapsulated in a VXLAN tunnel. See RFC 7348 for more information about the VXLAN protocol.
- Outer
The VXLAN tunnel connection.
- Inner
The VXLAN-encapsulated Ethernet packet header and transport header.
- Vni
VXLAN Network Identifier.
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.