24 Apr
2019
24 Apr
'19
6:48 a.m.
Hi,
I was hoping to understand how Zeek aggregates packets by connection. Is there any
documentation that summarizes the approach? Is there a way to extract all the packets that
correspond to a particular connection?
Thank you,
Ananditha Raghunath - 0557
Assistant Staff
Cyber Operations and Analysis Technology
MIT Lincoln Laboratory
ananditha.raghunath(a)ll.mit.edu | 781-981-9035
20 Jun
20 Jun
10:21 a.m.
Hi,
a bit late, but...
I was hoping to understand how Zeek aggregates packets
by connection. Is
there any documentation that summarizes the approach? Is there a way to
extract all the packets that correspond to a particular connection?
I don't think there is much documentation sadly. Basically - Zeek
identifies connections by 5-tuple and passes the packets on to the
TCP/UDP/ICMP protocol parsers for a specific connection. Connections are
timed out after a time amount that depends on the protocol, port, and
phase of connection establishment.
The set_record_packets bif can be used to write the packets of a
connection to a file (however that code has not seen a lot of testing
recently - it should work, but I don't really want to guarantee it).
Johanna
901
days inactive
958
days old
1 comments
2 participants
participants (2)
-
Johanna Amann -
Raghunath, Ananditha - 0557 - MITLL