Packet Analyzers¶
-
PacketAnalyzer::Tag
¶ - Type
-
-
PacketAnalyzer::ANALYZER_ARP
¶
-
PacketAnalyzer::ANALYZER_ETHERNET
¶
-
PacketAnalyzer::ANALYZER_FDDI
¶
-
PacketAnalyzer::ANALYZER_GRE
¶
-
PacketAnalyzer::ANALYZER_ICMP
¶
-
PacketAnalyzer::ANALYZER_IEEE802_11
¶
-
PacketAnalyzer::ANALYZER_IEEE802_11_RADIO
¶
-
PacketAnalyzer::ANALYZER_IP
¶
-
PacketAnalyzer::ANALYZER_IPTUNNEL
¶
-
PacketAnalyzer::ANALYZER_LINUXSLL
¶
-
PacketAnalyzer::ANALYZER_MPLS
¶
-
PacketAnalyzer::ANALYZER_NFLOG
¶
-
PacketAnalyzer::ANALYZER_NULL
¶
-
PacketAnalyzer::ANALYZER_PPPOE
¶
-
PacketAnalyzer::ANALYZER_PPPSERIAL
¶
-
PacketAnalyzer::ANALYZER_ROOT
¶
-
PacketAnalyzer::ANALYZER_SKIP
¶
-
PacketAnalyzer::ANALYZER_TCP
¶
-
PacketAnalyzer::ANALYZER_UDP
¶
-
PacketAnalyzer::ANALYZER_VLAN
¶
-
PacketAnalyzer::ANALYZER_VNTAG
¶
-
Zeek::ARP¶
ARP packet analyzer
Components¶
Events¶
-
arp_request
¶ -
Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
- Mac_src
The request’s source MAC address.
- Mac_dst
The request’s destination MAC address.
- SPA
The sender protocol address.
- SHA
The sender hardware address.
- TPA
The target protocol address.
- THA
The target hardware address.
-
arp_reply
¶ -
Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
- Mac_src
The reply’s source MAC address.
- Mac_dst
The reply’s destination MAC address.
- SPA
The sender protocol address.
- SHA
The sender hardware address.
- TPA
The target protocol address.
- THA
The target hardware address.
See also:
arp_request
,bad_arp
-
bad_arp
¶ -
Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
- SPA
The sender protocol address.
- SHA
The sender hardware address.
- TPA
The target protocol address.
- THA
The target hardware address.
- Explanation
A short description of why the ARP packet is considered “bad”.
See also:
arp_reply
,arp_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.