[Zeek] Zeek script to look for first few packets

Manju Lalwani manju.atri87 at gmail.com
Fri May 3 09:38:09 PDT 2019


how can I make Zeek look for the first ten packets only  in a tcp session ?
The first ten packets are enough to fingerprint the traffic I am trying to
identify and so would like to ensure my script  looks at only the first 10
packets to save processing time.

Also the communication can be identified based on 7 packets immediately
following the tcp handshake and using a custom service not categorised by
zeek.. tcp_packet event has been the closest match for my script . Is there
any Zeek event that can be a better match for this communication ?

Thanks in advance,
Manju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190503/4317443d/attachment.html 


More information about the Zeek mailing list