[Zeek] Zeek script to look for first few packets
Manju Lalwani
manju.atri87 at gmail.com
Fri May 3 09:38:09 PDT 2019
how can I make Zeek look for the first ten packets only in a tcp session ?
The first ten packets are enough to fingerprint the traffic I am trying to
identify and so would like to ensure my script looks at only the first 10
packets to save processing time.
Also the communication can be identified based on 7 packets immediately
following the tcp handshake and using a custom service not categorised by
zeek.. tcp_packet event has been the closest match for my script . Is there
any Zeek event that can be a better match for this communication ?
Thanks in advance,
Manju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190503/4317443d/attachment.html
More information about the Zeek
mailing list