[Zeek] Absolute ack and seq number of tcp packet
Jon Siwek
jsiwek at corelight.com
Mon Dec 2 10:26:56 PST 2019
On Thu, Nov 28, 2019 at 11:38 AM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:
> In the tcp_packet event, how can I obtain the absolute values (found in the tcp header), not the relative values of ack and seq numbers.
The `get_current_packet_header()` BIF likely works for you:
https://docs.zeek.org/en/stable/scripts/base/bif/zeek.bif.zeek.html#id-get_current_packet_header
Or else the `raw_packet` event is also something that uses the
`raw_pkt_hdr` type which should have the absolute sequence numbers.
- Jon
More information about the Zeek
mailing list