[Zeek] Help with zeek script
Johanna Amann
johanna at icir.org
Thu Jun 20 10:27:23 PDT 2019
Hi,
also a bit late, but...
> I am working on a Zeek script and would like to understand how can I make
> Zeek look only for the first ten packets in a tcp session.
At the moment - there sadly probably is not better approach than what you
already found in script-land - we don't offer any specialized event to
only get notified for the first x packets.
A more complicated alternative is to write a C++-level analyzer - which could drop out
after a set number of packets.
Johanna
More information about the Zeek
mailing list