[Zeek] Problem with ARP bro analyzer

Michael Gez mgezz66 at gmail.com
Tue Aug 20 07:32:49 PDT 2019


Hi all,

I've been making use of this script i found online to generate ARP logs:

https://gist.github.com/grigorescu/a28b814a8fb626e2a7b4715d278198aa


As i've been testing the script i noticed sometimes the PCAPs have lines
that the script can't process, and I get these lines as output:

1550819487.247128 expression error in
/usr/local/zeek/share/zeek/base/protocols/arp/./arp_main.zeek, line 206: no
such index (ARP::arp_states[ARP::THA])
1550819487.247129 expression error in
/usr/local/zeek/share/zeek/base/protocols/arp/./arp_main.zeek, line 206: no
such index (ARP::arp_states[ARP::THA])
1550819487.750980 expression error in
/usr/local/zeek/share/zeek/base/protocols/arp/./arp_main.zeek, line 206: no
such index (ARP::arp_states[ARP::THA])
1550819487.750981 expression error in
/usr/local/zeek/share/zeek/base/protocols/arp/./arp_main.zeek, line 206: no
such index (ARP::arp_states[ARP::THA])
1550819489.150965 expression error in
/usr/local/zeek/share/zeek/base/protocols/arp/./arp_main.zeek, line 206: no
such index (ARP::arp_states[ARP::THA])
1550819489.150966 expression error in
/usr/local/zeek/share/zeek/base/protocols/arp/./arp_main.zeek, line 206: no
such index (ARP::arp_states[ARP::THA])


This is an example packet that causes this type of behavior:
https://packettotal.com/app/analysis?id=ccdd36227128010cf7e85f6a452fabbd

If anyone has any idea how to correct this behavior, any help would be
appreciated.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190820/93364a49/attachment.html 


More information about the Zeek mailing list