[Zeek] Is it possible to inspect TCP reserved bits with Zeek?
Tomek Koziak
ttomek.koziak at gmail.com
Wed Mar 25 02:53:22 PDT 2020
Hi Jon.
Thank you, it's working properly.
In the first place, I have modified the TCP_Flags.h to catch those bits,
but your solution seems to be better.
Tomasz
wt., 24 mar 2020 o 18:57 Jon Siwek <jsiwek at corelight.com> napisał(a):
> On Mon, Mar 23, 2020 at 3:11 PM Tomek Koziak <ttomek.koziak at gmail.com>
> wrote:
>
> > Is it possible to inspect TCP reserved bits with Zeek events? If not is
> there any other possible way to detect wheter those bits where changed?
>
> I didn't see any events that currently carry the reserved bits, but it
> would be simple to extend existing ones like `new_packet` and
> `raw_packet`. You can find an example patch for that in the
> `topic/jsiwek/tcp-hdr-reserved-bits` branch here:
>
>
> https://github.com/zeek/zeek/compare/topic/jsiwek/tcp-hdr-reserved-bits
>
> Let me know if that works for your purposes and I'll turn it into a
> pull request.
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200325/10e2a7a8/attachment.html
More information about the Zeek
mailing list