[Zeek] Adding connection data to the SSL log
Johanna Amann
johanna at corelight.com
Fri Jan 31 15:50:43 PST 2020
Hi Virgil,
On 31 Jan 2020, at 8:15, Virgil wrote:
> Thank you kindly, this is very helpful, and the context is helpful
> too.
>
> Does there exist a reference document that would show the timing
> and/or order of what's happening internally in Zeek as traffic is
> processed? Using this example, something that might show the timing of
> when the SSL log is written and the preceding and following internal
> events?
Nothing that I know of. You can kind of figure such things out by
loading the misc/dump-events script. That script dumps out the events
that are processed in the order that they are processed. If you use that
with a fairly minimal pcap file, it is not too hard to figure out what
is going on.
In addition to that, for use-cases that are a bit outside of the norm,
you might always still have to look at what exactly the base script for
the protocol that you are interested in is doing.
Johanna
More information about the Zeek
mailing list