[Zeek] Extracting packets from a particular connection

Johanna Amann johanna at icir.org
Thu Jun 20 10:21:32 PDT 2019


Hi,

a bit late, but...

> I was hoping to understand how Zeek aggregates packets by connection. Is
> there any documentation that summarizes the approach? Is there a way to
> extract all the packets that correspond to a particular connection?

I don't think there is much documentation sadly. Basically - Zeek
identifies connections by 5-tuple and passes the packets on to the
TCP/UDP/ICMP protocol parsers for a specific connection. Connections are
timed out after a time amount that depends on the protocol, port, and
phase of connection establishment.

The set_record_packets bif can be used to write the packets of a
connection to a file (however that code has not seen a lot of testing
recently - it should work, but I don't really want to guarantee it).

Johanna


More information about the Zeek mailing list