Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

GH-618: add "tcp_options" event containing TCP option values

Browse source
This commit is contained in:
Jon Siwek 2019-10-03 18:59:02 -07:00
parent 222e3ad3ea
commit 052feacbda
14 changed files with 269 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

37
testing/btest/core/tcp/options.zeek
View file

@ -1,7 +1,44 @@
# @TEST-EXEC: zeek -b -r $TRACES/tcp/options.pcap %INPUT > out
# @TEST-EXEC: zeek -b -r $TRACES/tcp/option-sack.pcap %INPUT > out-sack
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff out-sack
event tcp_option(c: connection, is_orig: bool, opt: count, optlen: count)
{
print c$id, is_orig, opt, optlen;
}
event tcp_options(c: connection, is_orig: bool, options: TCP::OptionList)
{
print c$id, is_orig;
for ( i in options )
{
local o = options[i];
print fmt(" kind: %s, length: %s", o$kind, o$length);
if ( o?$data )
print fmt(" data (%s): %s", |o$data|, o$data);
else
{
switch ( o$kind ) {
case 2:
print fmt(" mss: %s", o$mss);
break;
case 3:
print fmt(" window scale: %s", o$window_scale);
break;
case 4:
print fmt(" sack permitted");
break;
case 5:
print fmt(" sack: %s", o$sack);
break;
case 8:
print fmt(" send ts: %s", o$send_timestamp);
print fmt(" echo ts: %s", o$echo_timestamp);
break;
}
}
}
}