[Zeek] Extract IP Header Options
Jon Siwek
jsiwek at corelight.com
Thu Apr 4 16:19:02 PDT 2019
On Thu, Apr 4, 2019 at 1:48 PM Justin Mullins <shadowx787 at gmail.com> wrote:
> I was wondering is there an existing way in Zeek to log IP Header Options?
Doesn't look like it, but you can try hacking it in. For example, add
the Options data as a field to the ip4_hdr record:
https://github.com/zeek/zeek/blob/3f7bbf2784d094787e6c7cb32adb0fc658fb8a86/scripts/base/init-bare.bro#L1515-L1524
Add code to populate it here:
https://github.com/zeek/zeek/blob/3f7bbf2784d094787e6c7cb32adb0fc658fb8a86/src/IP.cc#L311-L322
Then consume the data via a new_packet event handler:
https://docs.zeek.org/en/latest/scripts/base/bif/event.bif.bro.html#id-new_packet
- Jon
More information about the Zeek
mailing list