[Zeek] Is it possible to inspect TCP reserved bits with Zeek?
Jon Siwek
jsiwek at corelight.com
Tue Mar 24 10:57:26 PDT 2020
On Mon, Mar 23, 2020 at 3:11 PM Tomek Koziak <ttomek.koziak at gmail.com> wrote:
> Is it possible to inspect TCP reserved bits with Zeek events? If not is there any other possible way to detect wheter those bits where changed?
I didn't see any events that currently carry the reserved bits, but it
would be simple to extend existing ones like `new_packet` and
`raw_packet`. You can find an example patch for that in the
`topic/jsiwek/tcp-hdr-reserved-bits` branch here:
https://github.com/zeek/zeek/compare/topic/jsiwek/tcp-hdr-reserved-bits
Let me know if that works for your purposes and I'll turn it into a
pull request.
- Jon
More information about the Zeek
mailing list