Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add GTPv1 packet analyzer, disable old analyzer

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-11-03 12:17:22 -07:00
parent dc0ecf9811
commit 2044fbe53b
28 changed files with 1661 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

2
auxil/bifcl

@ -1 +1 @@
Subproject commit 6bd264351813eedb92753d2d4ed76ac6ddc076b3 Subproject commit 762d55f9c6747267acca77f19d4b60b4dc3c3821

5
scripts/base/frameworks/tunnels/main.zeek
View file

@ -90,14 +90,9 @@ export {
global finalize_tunnel: Conn::RemovalHook; global finalize_tunnel: Conn::RemovalHook;
} }
const gtpv1_ports = { 2152/udp, 2123/udp };
redef likely_server_ports += { gtpv1_ports };
event zeek_init() &priority=5 event zeek_init() &priority=5
{ {
Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]); Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
} }
function register_all(ecv: EncapsulatingConnVector) function register_all(ecv: EncapsulatingConnVector)

1
scripts/base/packet-protocols/__load__.zeek
View file

@ -25,3 +25,4 @@
@load base/packet-protocols/geneve @load base/packet-protocols/geneve
@load base/packet-protocols/vxlan @load base/packet-protocols/vxlan
@load base/packet-protocols/teredo @load base/packet-protocols/teredo
@load base/packet-protocols/gtpv1

1
scripts/base/packet-protocols/gtpv1/__load__.zeek Normal file
View file

@ -0,0 +1 @@
@load ./main

28
scripts/base/packet-protocols/gtpv1/main.zeek Normal file
View file

@ -0,0 +1,28 @@
module PacketAnalyzer::GTPV1;
# This needs to be loaded here so the function is available. Function BIFs normally aren't
# loaded until after the packet analysis init scripts are run, and then zeek complains it
# can't find the function.
@load base/bif/plugins/Zeek_GTPv1.functions.bif
# Needed for port registration for BPF
@load base/frameworks/analyzer/main
export {
## Default analyzer
const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
}
const gtpv1_ports = { 2152/udp, 2123/udp };
redef likely_server_ports += { gtpv1_ports };
event zeek_init() &priority=20
{
PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1);
PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, gtpv1_ports);
}
event connection_state_remove(c: connection)
{
remove_gtpv1_connection(c$id);
}

2
src/analyzer/protocol/CMakeLists.txt
View file

@ -11,7 +11,7 @@ add_subdirectory(ftp)
#add_subdirectory(geneve) #add_subdirectory(geneve)
add_subdirectory(gnutella) add_subdirectory(gnutella)
add_subdirectory(gssapi) add_subdirectory(gssapi)
add_subdirectory(gtpv1) #add_subdirectory(gtpv1)
add_subdirectory(http) add_subdirectory(http)
add_subdirectory(ident) add_subdirectory(ident)
add_subdirectory(imap) add_subdirectory(imap)

4
src/binpac_zeek.h
View file

@ -6,6 +6,8 @@
#include "zeek/Val.h" #include "zeek/Val.h"
#include "zeek/analyzer/Analyzer.h" #include "zeek/analyzer/Analyzer.h"
#include "zeek/file_analysis/Analyzer.h" #include "zeek/file_analysis/Analyzer.h"
#include "zeek/iosource/Packet.h"
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/util.h" #include "zeek/util.h"
#include "event.bif.func_h" #include "event.bif.func_h"
@ -15,9 +17,11 @@ namespace binpac
using ZeekAnalyzer = zeek::analyzer::Analyzer*; using ZeekAnalyzer = zeek::analyzer::Analyzer*;
using ZeekFileAnalyzer = zeek::file_analysis::Analyzer; using ZeekFileAnalyzer = zeek::file_analysis::Analyzer;
using ZeekPacketAnalyzer = zeek::packet_analysis::Analyzer*;
using ZeekVal = zeek::Val*; using ZeekVal = zeek::Val*;
using ZeekPortVal = zeek::PortVal*; using ZeekPortVal = zeek::PortVal*;
using ZeekStringVal = zeek::StringVal*; using ZeekStringVal = zeek::StringVal*;
using ZeekPacket = zeek::Packet;
inline zeek::StringValPtr to_stringval(const_bytestring const& str) inline zeek::StringValPtr to_stringval(const_bytestring const& str)
{ {

24
src/packet_analysis/Analyzer.h
View file

@ -173,6 +173,18 @@ public:
session::AnalyzerConfirmationState::VIOLATED; session::AnalyzerConfirmationState::VIOLATED;
} }
/**
* Reports a Weird with the analyzer's name included in the addl field.
*
* @param name The name of the weird.
* @param packet An optional pointer to a packet to be used for additional
* information in the weird output.
* @param addl An optional string containing additional information about
* the weird. If this is passed, the analyzer's name will be prepended to
* it before output.
*/
void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const;
protected: protected:
friend class Manager; friend class Manager;
@ -227,18 +239,6 @@ protected:
*/ */
bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const; bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;
/**
* Reports a Weird with the analyzer's name included in the addl field.
*
* @param name The name of the weird.
* @param packet An optional pointer to a packet to be used for additional
* information in the weird output.
* @param addl An optional string containing additional information about
* the weird. If this is passed, the analyzer's name will be prepended to
* it before output.
*/
void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const;
private: private:
zeek::Tag tag; zeek::Tag tag;
Dispatcher dispatcher; Dispatcher dispatcher;

1
src/packet_analysis/protocol/CMakeLists.txt
View file

@ -26,3 +26,4 @@ add_subdirectory(ayiya)
add_subdirectory(geneve) add_subdirectory(geneve)
add_subdirectory(vxlan) add_subdirectory(vxlan)
add_subdirectory(teredo) add_subdirectory(teredo)
add_subdirectory(gtpv1)

11
src/packet_analysis/protocol/gtpv1/CMakeLists.txt Normal file
View file

@ -0,0 +1,11 @@
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
zeek_plugin_begin(Zeek GTPv1)
zeek_plugin_cc(GTPv1.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_bif(functions.bif)
zeek_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac)
zeek_plugin_end()

102
src/packet_analysis/protocol/gtpv1/GTPv1.cc Normal file
View file

@ -0,0 +1,102 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
#include "zeek/packet_analysis/protocol/gtpv1/events.bif.h"
#include "zeek/packet_analysis/protocol/ip/IP.h"
#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
namespace zeek::packet_analysis::gtpv1
{
GTPv1_Analyzer::GTPv1_Analyzer() : zeek::packet_analysis::Analyzer("GTPV1") { }
bool GTPv1_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
// GTPv1 always comes from a UDP connection, which means that session should always
// be valid and always be a connection. Return a weird if we didn't have a session
// stored.
if ( ! packet->session )
{
Analyzer::Weird("gtpv1_missing_connection");
return false;
}
auto conn = static_cast<Connection*>(packet->session);
zeek::detail::ConnKey conn_key = conn->Key();
auto cm_it = conn_map.find(conn_key);
if ( cm_it == conn_map.end() )
cm_it = conn_map.insert(cm_it,
{conn_key, std::make_unique<binpac::GTPv1::GTPv1_Conn>(this)});
try
{
cm_it->second->set_raw_packet(packet);
cm_it->second->NewData(packet->is_orig, data, data + len);
}
catch ( const binpac::Exception& e )
{
AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()), packet->session);
return false;
}
// Inner packet offset not being set means we failed to process somewhere, and SetInnerInfo()
// was never called by the binpac code. Assume this is a failure and return false.
if ( inner_packet_offset <= 0 )
return false;
auto odata = data;
auto olen = len;
data += inner_packet_offset;
len -= inner_packet_offset;
inner_packet_offset = -1;
// TODO: i'm not sure about this. on the one hand, we do some error checking with the result
// but on the other hand we duplicate this work here. maybe this header could just be stored
// and reused in the IP analyzer somehow?
std::shared_ptr<IP_Hdr> inner = nullptr;
int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner);
if ( result == 0 )
{
cm_it->second->set_valid(packet->is_orig, true);
if ( (! BifConst::Tunnel::delay_gtp_confirmation) ||
(cm_it->second->valid(true) && cm_it->second->valid(false)) )
AnalyzerConfirmation(packet->session);
if ( gtp_hdr_val )
{
BifEvent::enqueue_gtpv1_g_pdu_packet(nullptr, conn, std::move(gtp_hdr_val),
inner->ToPktHdrVal());
gtp_hdr_val = nullptr;
}
}
else if ( result == -2 )
{
AnalyzerViolation("Invalid IP version in wrapped packet", packet->session);
gtp_hdr_val = nullptr;
return false;
}
else if ( result < 0 )
{
AnalyzerViolation("Truncated GTPv1", packet->session);
gtp_hdr_val = nullptr;
return false;
}
else
{
AnalyzerViolation("GTPv1 payload length", packet->session);
gtp_hdr_val = nullptr;
return false;
}
int encap_index = 0;
auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::GTPv1,
GetAnalyzerTag());
return ForwardPacket(len, data, inner_packet.get());
}
} // namespace zeek::packet_analysis::gtpv1

46
src/packet_analysis/protocol/gtpv1/GTPv1.h Normal file
View file

@ -0,0 +1,46 @@
#pragma once
#include "zeek/packet_analysis/Analyzer.h"
#include "packet_analysis/protocol/gtpv1/gtpv1_pac.h"
namespace binpac::GTPv1
{
class GTPv1_Conn;
}
namespace zeek::packet_analysis::gtpv1
{
class GTPv1_Analyzer final : public packet_analysis::Analyzer
{
public:
explicit GTPv1_Analyzer();
~GTPv1_Analyzer() override = default;
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{
return std::make_shared<GTPv1_Analyzer>();
}
void SetInnerInfo(int offset, uint8_t next, RecordValPtr val)
{
inner_packet_offset = offset;
next_header = next;
gtp_hdr_val = std::move(val);
}
void RemoveConnection(const zeek::detail::ConnKey& conn_key) { conn_map.erase(conn_key); }
protected:
using ConnMap = std::map<zeek::detail::ConnKey, std::unique_ptr<binpac::GTPv1::GTPv1_Conn>>;
ConnMap conn_map;
int inner_packet_offset = -1;
uint8_t next_header = 0;
RecordValPtr gtp_hdr_val;
};
} // namespace zeek::packet_analysis::gtpv1

26
src/packet_analysis/protocol/gtpv1/Plugin.cc Normal file
View file

@ -0,0 +1,26 @@
// See the file in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
namespace zeek::plugin::detail::Zeek_GTPv1
{
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::packet_analysis::Component(
"GTPv1", zeek::packet_analysis::gtpv1::GTPv1_Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::GTPv1";
config.description = "GTPv1 analyzer";
return config;
}
} plugin;
} // namespace zeek::plugin::detail::Zeek_GTPv1

74
src/packet_analysis/protocol/gtpv1/events.bif Normal file
View file

@ -0,0 +1,74 @@
## Generated for any GTP message with a GTPv1 header.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
event gtpv1_message%(c: connection, hdr: gtpv1_hdr%);
## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload
## that includes a GTP header followed by an IPv4 or IPv6 packet.
##
## outer: The GTP outer tunnel connection.
##
## inner_gtp: The GTP header.
##
## inner_ip: The inner IP and transport layer packet headers.
##
## .. note:: Since this event may be raised on a per-packet basis, handling
## it may become particularly expensive for real-time analysis.
event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
## Generated for GTPv1-C Create PDP Context Request messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%);
## Generated for GTPv1-C Create PDP Context Response messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%);
## Generated for GTPv1-C Update PDP Context Request messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%);
## Generated for GTPv1-C Update PDP Context Response messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%);
## Generated for GTPv1-C Delete PDP Context Request messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%);
## Generated for GTPv1-C Delete PDP Context Response messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%);

20
src/packet_analysis/protocol/gtpv1/functions.bif Normal file
View file

@ -0,0 +1,20 @@
module PacketAnalyzer::GTPV1;
%%{
#include "zeek/Conn.h"
#include "zeek/session/Manager.h"
#include "zeek/packet_analysis/Manager.h"
#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
%%}
function remove_gtpv1_connection%(cid: conn_id%) : bool
%{
zeek::packet_analysis::AnalyzerPtr gtpv1 = zeek::packet_mgr->GetAnalyzer("GTPv1");
if ( gtpv1 )
{
zeek::detail::ConnKey conn_key(cid);
static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(conn_key);
}
return zeek::val_mgr->True();
%}

759
src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac Normal file
View file

@ -0,0 +1,759 @@
%extern{
#include "zeek/ZeekString.h"
#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
%}
%code{
zeek::RecordValPtr BuildGTPv1Hdr(const GTPv1_Header* pdu)
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtpv1_hdr);
rv->Assign(0, pdu->version());
rv->Assign(1, pdu->pt_flag());
rv->Assign(2, pdu->rsv());
rv->Assign(3, pdu->e_flag());
rv->Assign(4, pdu->s_flag());
rv->Assign(5, pdu->pn_flag());
rv->Assign(6, pdu->msg_type());
rv->Assign(7, pdu->length());
rv->Assign(8, pdu->teid());
if ( pdu->has_opt() )
{
rv->Assign(9, pdu->opt_hdr()->seq());
rv->Assign(10, pdu->opt_hdr()->n_pdu());
rv->Assign(11, pdu->opt_hdr()->next_type());
}
return rv;
}
static zeek::ValPtr BuildIMSI(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->imsi()->value());
}
static zeek::ValPtr BuildRAI(const InformationElement* ie)
{
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_rai);
ev->Assign(0, ie->rai()->mcc());
ev->Assign(1, ie->rai()->mnc());
ev->Assign(2, ie->rai()->lac());
ev->Assign(3, ie->rai()->rac());
return ev;
}
static zeek::ValPtr BuildRecovery(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->recovery()->restart_counter());
}
static zeek::ValPtr BuildSelectionMode(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->selection_mode()->mode());
}
static zeek::ValPtr BuildTEID1(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->teid1()->value());
}
static zeek::ValPtr BuildTEID_ControlPlane(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->teidcp()->value());
}
static zeek::ValPtr BuildNSAPI(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->nsapi()->nsapi());
}
static zeek::ValPtr BuildChargingCharacteristics(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->charging_characteristics()->value());
}
static zeek::ValPtr BuildTraceReference(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->trace_reference()->value());
}
static zeek::ValPtr BuildTraceType(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->trace_type()->value());
}
zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
{
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_end_user_addr);
ev->Assign(0, ie->end_user_addr()->pdp_type_org());
ev->Assign(1, ie->end_user_addr()->pdp_type_num());
int len = ie->end_user_addr()->pdp_addr().length();
if ( len > 0 )
{
const uint8* d = ie->end_user_addr()->pdp_addr().data();
switch ( ie->end_user_addr()->pdp_type_num() ) {
case 0x21:
ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
break;
case 0x57:
ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
break;
default:
ev->Assign(3, new zeek::String((const u_char*) d, len, false));
break;
}
}
return ev;
}
zeek::ValPtr BuildAccessPointName(const InformationElement* ie)
{
zeek::String* bs = new zeek::String((const u_char*) ie->ap_name()->value().data(),
ie->ap_name()->value().length(), false);
return zeek::make_intrusive<zeek::StringVal>(bs);
}
zeek::ValPtr BuildProtoConfigOptions(const InformationElement* ie)
{
const u_char* d = (const u_char*) ie->proto_config_opts()->value().data();
int len = ie->proto_config_opts()->value().length();
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false));
}
zeek::ValPtr BuildGSN_Addr(const InformationElement* ie)
{
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_gsn_addr);
int len = ie->gsn_addr()->value().length();
const uint8* d = ie->gsn_addr()->value().data();
if ( len == 4 )
ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
else if ( len == 16 )
ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
else
ev->Assign(1, new zeek::String((const u_char*) d, len, false));
return ev;
}
zeek::ValPtr BuildMSISDN(const InformationElement* ie)
{
const u_char* d = (const u_char*) ie->msisdn()->value().data();
int len = ie->msisdn()->value().length();
return zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false));
}
zeek::ValPtr BuildQoS_Profile(const InformationElement* ie)
{
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_qos_profile);
const u_char* d = (const u_char*) ie->qos_profile()->data().data();
int len = ie->qos_profile()->data().length();
ev->Assign(0, ie->qos_profile()->alloc_retention_priority());
ev->Assign(1, new zeek::String(d, len, false));
return ev;
}
zeek::ValPtr BuildTrafficFlowTemplate(const InformationElement* ie)
{
const uint8* d = ie->traffic_flow_template()->value().data();
int len = ie->traffic_flow_template()->value().length();
return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
}
zeek::ValPtr BuildTriggerID(const InformationElement* ie)
{
const uint8* d = ie->trigger_id()->value().data();
int len = ie->trigger_id()->value().length();
return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
}
zeek::ValPtr BuildOMC_ID(const InformationElement* ie)
{
const uint8* d = ie->omc_id()->value().data();
int len = ie->omc_id()->value().length();
return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
}
zeek::ValPtr BuildPrivateExt(const InformationElement* ie)
{
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_private_extension);
const uint8* d = ie->private_ext()->value().data();
int len = ie->private_ext()->value().length();
ev->Assign(0, ie->private_ext()->id());
ev->Assign(1, new zeek::String((const u_char*) d, len, false));
return ev;
}
static zeek::ValPtr BuildCause(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->cause()->value());
}
static zeek::ValPtr BuildReorderReq(const InformationElement* ie)
{
return zeek::val_mgr->Bool(ie->reorder_req()->req());
}
static zeek::ValPtr BuildChargingID(const InformationElement* ie)
{
return zeek::val_mgr->Count(ie->charging_id()->value());;
}
zeek::ValPtr BuildChargingGatewayAddr(const InformationElement* ie)
{
const uint8* d = ie->charging_gateway_addr()->value().data();
int len = ie->charging_gateway_addr()->value().length();
if ( len == 4 )
return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network));
else if ( len == 16 )
return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network));
else
return nullptr;
}
static zeek::ValPtr BuildTeardownInd(const InformationElement* ie)
{
return zeek::val_mgr->Bool(ie->teardown_ind()->ind());
}
void CreatePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_create_pdp_ctx_request ) return;
auto rv = zeek::make_intrusive<zeek::RecordVal>(
zeek::BifType::Record::gtp_create_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
bool second_nsapi = false;
bool second_gsn_addr = false;
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_IMSI:
rv->Assign(0, BuildIMSI(ie));
break;
case GTPv1::TYPE_RAI:
rv->Assign(1, BuildRAI(ie));
break;
case GTPv1::TYPE_RECOVERY:
rv->Assign(2, BuildRecovery(ie));
break;
case GTPv1::TYPE_SELECTION_MODE:
rv->Assign(3, BuildSelectionMode(ie));
break;
case GTPv1::TYPE_TEID1:
rv->Assign(4, BuildTEID1(ie));
break;
case GTPv1::TYPE_TEID_CONTROL_PLANE:
rv->Assign(5, BuildTEID_ControlPlane(ie));
break;
case GTPv1::TYPE_NSAPI:
if ( second_nsapi )
rv->Assign(7, BuildNSAPI(ie));
else
{
second_nsapi = true;
rv->Assign(6, BuildNSAPI(ie));
}
break;
case GTPv1::TYPE_CHARGING_CHARACTERISTICS:
rv->Assign(8, BuildChargingCharacteristics(ie));
break;
case GTPv1::TYPE_TRACE_REFERENCE:
rv->Assign(9, BuildTraceReference(ie));
break;
case GTPv1::TYPE_TRACE_TYPE:
rv->Assign(10, BuildTraceType(ie));
break;
case GTPv1::TYPE_END_USER_ADDR:
rv->Assign(11, BuildEndUserAddr(ie));
break;
case GTPv1::TYPE_ACCESS_POINT_NAME:
rv->Assign(12, BuildAccessPointName(ie));
break;
case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
rv->Assign(13, BuildProtoConfigOptions(ie));
break;
case GTPv1::TYPE_GSN_ADDR:
if ( second_gsn_addr )
rv->Assign(15, BuildGSN_Addr(ie));
else
{
second_gsn_addr = true;
rv->Assign(14, BuildGSN_Addr(ie));
}
break;
case GTPv1::TYPE_MSISDN:
rv->Assign(16, BuildMSISDN(ie));
break;
case GTPv1::TYPE_QOS_PROFILE:
rv->Assign(17, BuildQoS_Profile(ie));
break;
case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
rv->Assign(18, BuildTrafficFlowTemplate(ie));
break;
case GTPv1::TYPE_TRIGGER_ID:
rv->Assign(19, BuildTriggerID(ie));
break;
case GTPv1::TYPE_OMC_ID:
rv->Assign(20, BuildOMC_ID(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(21, BuildPrivateExt(ie));
break;
default:
a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
break;
}
}
zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
}
void CreatePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_create_pdp_ctx_response )
return;
auto rv = zeek::make_intrusive<zeek::RecordVal>(
zeek::BifType::Record::gtp_create_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
bool second_gsn_addr = false;
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_CAUSE:
rv->Assign(0, BuildCause(ie));
break;
case GTPv1::TYPE_REORDER_REQ:
rv->Assign(1, BuildReorderReq(ie));
break;
case GTPv1::TYPE_RECOVERY:
rv->Assign(2, BuildRecovery(ie));
break;
case GTPv1::TYPE_TEID1:
rv->Assign(3, BuildTEID1(ie));
break;
case GTPv1::TYPE_TEID_CONTROL_PLANE:
rv->Assign(4, BuildTEID_ControlPlane(ie));
break;
case GTPv1::TYPE_CHARGING_ID:
rv->Assign(5, BuildChargingID(ie));
break;
case GTPv1::TYPE_END_USER_ADDR:
rv->Assign(6, BuildEndUserAddr(ie));
break;
case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
rv->Assign(7, BuildProtoConfigOptions(ie));
break;
case GTPv1::TYPE_GSN_ADDR:
if ( second_gsn_addr )
rv->Assign(9, BuildGSN_Addr(ie));
else
{
second_gsn_addr = true;
rv->Assign(8, BuildGSN_Addr(ie));
}
break;
case GTPv1::TYPE_QOS_PROFILE:
rv->Assign(10, BuildQoS_Profile(ie));
break;
case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
rv->Assign(11, BuildChargingGatewayAddr(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(12, BuildPrivateExt(ie));
break;
default:
a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
break;
}
}
zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_update_pdp_ctx_request )
return;
auto rv = zeek::make_intrusive<zeek::RecordVal>(
zeek::BifType::Record::gtp_update_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
bool second_gsn_addr = false;
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_IMSI:
rv->Assign(0, BuildIMSI(ie));
break;
case GTPv1::TYPE_RAI:
rv->Assign(1, BuildRAI(ie));
break;
case GTPv1::TYPE_RECOVERY:
rv->Assign(2, BuildRecovery(ie));
break;
case GTPv1::TYPE_TEID1:
rv->Assign(3, BuildTEID1(ie));
break;
case GTPv1::TYPE_TEID_CONTROL_PLANE:
rv->Assign(4, BuildTEID_ControlPlane(ie));
break;
case GTPv1::TYPE_NSAPI:
rv->Assign(5, BuildNSAPI(ie));
break;
case GTPv1::TYPE_TRACE_REFERENCE:
rv->Assign(6, BuildTraceReference(ie));
break;
case GTPv1::TYPE_TRACE_TYPE:
rv->Assign(7, BuildTraceType(ie));
break;
case GTPv1::TYPE_GSN_ADDR:
if ( second_gsn_addr )
rv->Assign(9, BuildGSN_Addr(ie));
else
{
second_gsn_addr = true;
rv->Assign(8, BuildGSN_Addr(ie));
}
break;
case GTPv1::TYPE_QOS_PROFILE:
rv->Assign(10, BuildQoS_Profile(ie));
break;
case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
rv->Assign(11, BuildTrafficFlowTemplate(ie));
break;
case GTPv1::TYPE_TRIGGER_ID:
rv->Assign(12, BuildTriggerID(ie));
break;
case GTPv1::TYPE_OMC_ID:
rv->Assign(13, BuildOMC_ID(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(14, BuildPrivateExt(ie));
break;
case GTPv1::TYPE_END_USER_ADDR:
rv->Assign(15, BuildEndUserAddr(ie));
break;
default:
a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
break;
}
}
zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_update_pdp_ctx_response )
return;
auto rv = zeek::make_intrusive<zeek::RecordVal>(
zeek::BifType::Record::gtp_update_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
bool second_gsn_addr = false;
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_CAUSE:
rv->Assign(0, BuildCause(ie));
break;
case GTPv1::TYPE_RECOVERY:
rv->Assign(1, BuildRecovery(ie));
break;
case GTPv1::TYPE_TEID1:
rv->Assign(2, BuildTEID1(ie));
break;
case GTPv1::TYPE_TEID_CONTROL_PLANE:
rv->Assign(3, BuildTEID_ControlPlane(ie));
break;
case GTPv1::TYPE_CHARGING_ID:
rv->Assign(4, BuildChargingID(ie));
break;
case GTPv1::TYPE_GSN_ADDR:
if ( second_gsn_addr )
rv->Assign(6, BuildGSN_Addr(ie));
else
{
second_gsn_addr = true;
rv->Assign(5, BuildGSN_Addr(ie));
}
break;
case GTPv1::TYPE_QOS_PROFILE:
rv->Assign(7, BuildQoS_Profile(ie));
break;
case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
rv->Assign(8, BuildChargingGatewayAddr(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(9, BuildPrivateExt(ie));
break;
default:
a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
break;
}
}
zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_delete_pdp_ctx_request )
return;
auto rv = zeek::make_intrusive<zeek::RecordVal>(
zeek::BifType::Record::gtp_delete_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_TEARDOWN_IND:
rv->Assign(0, BuildTeardownInd(ie));
break;
case GTPv1::TYPE_NSAPI:
rv->Assign(1, BuildNSAPI(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(2, BuildPrivateExt(ie));
break;
default:
a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
break;
}
}
zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_delete_pdp_ctx_response )
return;
auto rv = zeek::make_intrusive<zeek::RecordVal>(
zeek::BifType::Record::gtp_delete_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_CAUSE:
rv->Assign(0, BuildCause(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(1, BuildPrivateExt(ie));
break;
default:
a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
break;
}
}
zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
}
%}
connection GTPv1_Conn(zeek_analyzer: ZeekPacketAnalyzer)
{
upflow = GTPv1_Flow(true);
downflow = GTPv1_Flow(false);
%member{
bool valid_orig;
bool valid_resp;
ZeekPacket* packet;
%}
%init{
valid_orig = valid_resp = false;
%}
function valid(orig: bool): bool
%{
return orig ? valid_orig : valid_resp;
%}
function set_valid(orig: bool, val: bool): void
%{
if ( orig )
valid_orig = val;
else
valid_resp = val;
%}
function set_raw_packet(p: ZeekPacket): void
%{
packet = p;
%}
function get_raw_packet(): ZeekPacket
%{
return packet;
%}
}
flow GTPv1_Flow(is_orig: bool)
{
datagram = GTPv1_Header withcontext(connection, this);
function violate(r: string, pdu: GTPv1_Header): void
%{
ZeekPacketAnalyzer a = connection()->zeek_analyzer();
ZeekPacket* p = connection()->get_raw_packet();
a->AnalyzerViolation(r.c_str(), p->session);
%}
function process_gtpv1(pdu: GTPv1_Header): bool
%{
ZeekPacketAnalyzer a = connection()->zeek_analyzer();
ZeekPacket* p = connection()->get_raw_packet();
zeek::Connection* c = static_cast<zeek::Connection*>(p->session);
const std::shared_ptr<zeek::EncapsulationStack> e = p->encap;
connection()->set_valid(is_orig(), false);
if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth )
{
a->Weird("tunnel_depth");
return false;
}
if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 )
{
// GTP is never tunneled in GTP so, this must be a regular packet
violate("GTP-in-GTP", pdu);
return false;
}
if ( ${pdu.version} != 1 )
{
// Only know of GTPv1 with Version == 1
violate("GTPv1 bad Version", pdu);
return false;
}
if ( ! ${pdu.pt_flag} )
{
// Not interested in GTP
return false;
}
if ( ::gtpv1_message )
zeek::BifEvent::enqueue_gtpv1_message(nullptr, c, BuildGTPv1Hdr(pdu));
switch ( ${pdu.msg_type} ) {
case 16:
CreatePDP_Request(a, c, pdu);
return true;
case 17:
CreatePDP_Response(a, c, pdu);
return true;
case 18:
UpdatePDP_Request(a, c, pdu);
return true;
case 19:
UpdatePDP_Response(a, c, pdu);
return true;
case 20:
DeletePDP_Request(a, c, pdu);
return true;
case 21:
DeletePDP_Response(a, c, pdu);
return true;
case 255:
return process_g_pdu(pdu);
default:
return false;
}
return false;
%}
function process_g_pdu(pdu: GTPv1_Header): bool
%{
ZeekPacketAnalyzer a = connection()->zeek_analyzer();
ZeekPacket* p = connection()->get_raw_packet();
zeek::Connection* c = static_cast<zeek::Connection*>(p->session);
if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
{
violate("Truncated GTPv1", pdu);
return false;
}
const struct ip* ip = (const struct ip*) ${pdu.packet}.data();
if ( ip->ip_v != 4 && ip->ip_v != 6 )
{
violate("non-IP packet in GTPv1", pdu);
return false;
}
int hdr_len = 8;
if ( pdu->has_opt() )
hdr_len += 4;
if ( pdu->e_flag() && pdu->ext_hdrs() )
for ( const auto& eh : *pdu->ext_hdrs() )
hdr_len += 2 + eh->contents().length();
auto next_hdr = ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4;
zeek::RecordValPtr hdr_val;
if ( ::gtpv1_g_pdu_packet )
hdr_val = BuildGTPv1Hdr(pdu);
static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(a)->SetInnerInfo(
hdr_len, next_hdr, std::move(hdr_val));
return true;
%}
};
refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); };

496
src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac Normal file
View file

@ -0,0 +1,496 @@
type GTPv1_Header = record {
flags: uint8;
msg_type: uint8;
length: uint16;
teid: uint32;
opt: case has_opt of {
true -> opt_hdr: GTPv1_Opt_Header;
false -> no_opt: empty;
};
ext: case e_flag of {
true -> ext_hdrs: GTPv1_Ext_Header[] &until($element.next_type == 0);
false -> no_ext: empty;
};
msg: case msg_type of {
16 -> create_pdp_ctx_request: InformationElement[];
17 -> create_pdp_ctx_response: InformationElement[];
18 -> update_pdp_ctx_request: InformationElement[];
19 -> update_pdp_ctx_response: InformationElement[];
20 -> delete_pdp_ctx_request: InformationElement[];
21 -> delete_pdp_ctx_response: InformationElement[];
255 -> packet: bytestring &restofdata;
default -> unknown: bytestring &restofdata;
};
} &let {
version: uint8 = (flags & 0xE0) >> 5;
pt_flag: bool = flags & 0x10;
rsv: bool = flags & 0x08;
e_flag: bool = flags & 0x04;
s_flag: bool = flags & 0x02;
pn_flag: bool = flags & 0x01;
has_opt: bool = flags & 0x07;
} &byteorder = bigendian, &exportsourcedata;
type GTPv1_Opt_Header = record {
seq: uint16;
n_pdu: uint8;
next_type: uint8;
};
type GTPv1_Ext_Header = record {
length: uint8;
contents: bytestring &length=(length * 4 - 2);
next_type: uint8;
};
enum InfoElementType {
TYPE_CAUSE = 1,
TYPE_IMSI = 2,
TYPE_RAI = 3,
TYPE_TLLI = 4,
TYPE_P_TMSI = 5,
TYPE_REORDER_REQ = 8,
TYPE_AUTHN_TRIPLET = 9,
TYPE_MAP_CAUSE = 11,
TYPE_P_TMSI_SIG = 12,
TYPE_MS_VALID = 13,
TYPE_RECOVERY = 14,
TYPE_SELECTION_MODE = 15,
TYPE_TEID1 = 16,
TYPE_TEID_CONTROL_PLANE = 17,
TYPE_TEID2 = 18,
TYPE_TEARDOWN_IND = 19,
TYPE_NSAPI = 20,
TYPE_RANAP_CAUSE = 21,
TYPE_RAB_CTX = 22,
TYPE_RADIO_PRIORITY_SMS = 23,
TYPE_RADIO_PRIORITY = 24,
TYPE_PACKET_FLOW_ID = 25,
TYPE_CHARGING_CHARACTERISTICS = 26,
TYPE_TRACE_REFERENCE = 27,
TYPE_TRACE_TYPE = 28,
TYPE_MS_NOT_REACHABLE_REASON = 29,
TYPE_CHARGING_ID = 127,
TYPE_END_USER_ADDR = 128,
TYPE_MM_CTX = 129,
TYPE_PDP_CTX = 130,
TYPE_ACCESS_POINT_NAME = 131,
TYPE_PROTO_CONFIG_OPTIONS = 132,
TYPE_GSN_ADDR = 133,
TYPE_MSISDN = 134,
TYPE_QOS_PROFILE = 135,
TYPE_AUTHN_QUINTUPLET = 136,
TYPE_TRAFFIC_FLOW_TEMPLATE = 137,
TYPE_TARGET_ID = 138,
TYPE_UTRAN_TRANSPARENT_CONTAINER = 139,
TYPE_RAB_SETUP_INFO = 140,
TYPE_EXT_HEADER_TYPE_LIST = 141,
TYPE_TRIGGER_ID = 142,
TYPE_OMC_ID = 143,
TYPE_CHARGING_GATEWAY_ADDR = 251,
TYPE_PRIVATE_EXT = 255,
};
type InformationElement = record {
type: uint8;
len: case is_tlv of {
true -> tlv_len: uint16;
false -> no_len: empty;
};
value: case type of {
TYPE_CAUSE -> cause: Cause;
TYPE_IMSI -> imsi: IMSI;
TYPE_RAI -> rai: RAI;
TYPE_TLLI -> tlli: TLLI;
TYPE_P_TMSI -> p_tmsi: P_TMSI;
TYPE_REORDER_REQ -> reorder_req: ReorderReq;
TYPE_AUTHN_TRIPLET -> authn_triplet: AuthN_Triplet;
TYPE_MAP_CAUSE -> map_cause: MAP_Cause;
TYPE_P_TMSI_SIG -> p_tmsi_sig: P_TMSI_Sig;
TYPE_MS_VALID -> ms_valid: MS_Valid;
TYPE_RECOVERY -> recovery: Recovery;
TYPE_SELECTION_MODE -> selection_mode: SelectionMode;
TYPE_TEID1 -> teid1: TEID1;
TYPE_TEID_CONTROL_PLANE -> teidcp: TEID_ControlPlane;
TYPE_TEID2 -> teid2: TEID2;
TYPE_TEARDOWN_IND -> teardown_ind: TeardownInd;
TYPE_NSAPI -> nsapi: NSAPI;
TYPE_RANAP_CAUSE -> ranap_cause: RANAP_Cause;
TYPE_RAB_CTX -> rab_ctx: RAB_Ctx;
TYPE_RADIO_PRIORITY_SMS -> radio_priority_sms: RadioPrioritySMS;
TYPE_RADIO_PRIORITY -> radio_priority: RadioPriority;
TYPE_PACKET_FLOW_ID -> packet_flow_id: PacketFlowID;
TYPE_CHARGING_CHARACTERISTICS -> charging_characteristics: ChargingCharacteristics;
TYPE_TRACE_REFERENCE -> trace_reference: TraceReference;
TYPE_TRACE_TYPE -> trace_type: TraceType;
TYPE_MS_NOT_REACHABLE_REASON -> ms_not_reachable_reason: MS_Not_Reachable_Reason;
TYPE_CHARGING_ID -> charging_id: ChargingID;
TYPE_END_USER_ADDR -> end_user_addr: EndUserAddr(length);
TYPE_MM_CTX -> mm_ctx: MM_Ctx(length);
TYPE_PDP_CTX -> pdp_ctx: PDP_Ctx(length);
TYPE_ACCESS_POINT_NAME -> ap_name: AP_Name(length);
TYPE_PROTO_CONFIG_OPTIONS -> proto_config_opts: ProtoConfigOpts(length);
TYPE_GSN_ADDR -> gsn_addr: GSN_Addr(length);
TYPE_MSISDN -> msisdn: MSISDN(length);
TYPE_QOS_PROFILE -> qos_profile: QoS_Profile(length);
TYPE_AUTHN_QUINTUPLET -> authn_quintuplet: AuthN_Quintuplet(length);
TYPE_TRAFFIC_FLOW_TEMPLATE -> traffic_flow_template: TrafficFlowTemplate(length);
TYPE_TARGET_ID -> target_id: TargetID(length);
TYPE_UTRAN_TRANSPARENT_CONTAINER -> utran_transparent_container: UTRAN_TransparentContainer(length);
TYPE_RAB_SETUP_INFO -> rab_setup_info: RAB_SetupInfo(length);
TYPE_EXT_HEADER_TYPE_LIST -> ext_hdr_type_list: ExtHdrTypeList(length);
TYPE_TRIGGER_ID -> trigger_id: TriggerID(length);
TYPE_OMC_ID -> omc_id: OMC_ID(length);
TYPE_CHARGING_GATEWAY_ADDR -> charging_gateway_addr: ChargingGatewayAddr(length);
TYPE_PRIVATE_EXT -> private_ext: PrivateExt(length);
default -> unknown: bytestring &length=length;
} &requires(length);
} &let {
is_tlv: bool = (type & 0x80);
length: uint16 = is_tlv ? tlv_len : Get_IE_Len(type);
};
type Cause = record {
value: uint8;
};
function decode_imsi(v: uint8[8]): uint64
%{
uint64 rval = 0;
uint8 digits[16];
for ( size_t i = 0; i < v->size(); ++i )
{
digits[2 * i + 1] = ((*v)[i] & 0xf0) >> 4;
digits[2 * i] = (*v)[i] & 0x0f;
}
int power = 0;
for ( int i = 15; i >= 0; --i )
{
if ( digits[i] == 0x0f ) continue;
rval += digits[i] * pow(10, power);
++power;
}
return rval;
%}
type IMSI = record {
tbcd_encoded_value: uint8[8];
} &let {
value: uint64 = decode_imsi(tbcd_encoded_value);
};
type RAI = record {
mcc2_mcc1: uint8;
mnc3_mcc3: uint8;
mnc2_mnc1: uint8;
lac: uint16;
rac: uint8;
} &let {
mcc1: uint8 = (mcc2_mcc1 & 0x0f);
mcc2: uint8 = ((mcc2_mcc1 & 0xf0)>>4);
mcc3: uint8 = (mnc3_mcc3 & 0x0f);
mcc: uint16 = mcc1 * 100 + mcc2 * 10 + mcc3;
mnc1: uint8 = (mnc2_mnc1 & 0x0f);
mnc2: uint8 = ((mnc2_mnc1 & 0xf0)>>4);
mnc3: uint8 = (mnc3_mcc3 & 0xf0)>>4;
mnc: uint16 = (mnc3 & 0x0f) ? mnc1 * 10 + mnc2 : mnc1 * 100 + mnc2 * 10 + mnc3;
};
type TLLI = record {
value: uint32;
};
type P_TMSI = record {
value: uint32;
};
type ReorderReq = record {
value: uint8;
} &let {
req: bool = value & 0x01;
};
type AuthN_Triplet = record {
rand: bytestring &length=16;
sres: uint32;
kc: uint64;
};
type MAP_Cause = record {
value: uint8;
};
type P_TMSI_Sig = record {
value: bytestring &length=3;
};
type MS_Valid = record {
value: uint8;
};
type Recovery = record {
restart_counter: uint8;
};
type SelectionMode = record {
value: uint8;
} &let {
mode: uint8 = value & 0x01;
};
type TEID1 = record {
value: uint32;
};
type TEID_ControlPlane = record {
value: uint32;
};
type TEID2 = record {
spare_nsapi: uint8;
teid2: uint32;
};
type TeardownInd = record {
value: uint8;
} &let {
ind: bool = value & 0x01;
};
type NSAPI = record {
xxxx_nsapi: uint8;
} &let {
nsapi: uint8 = xxxx_nsapi & 0x0f;
};
type RANAP_Cause = record {
value: uint8;
};
type RAB_Ctx = record {
spare_nsapi: uint8;
dl_gtpu_seq_num: uint16;
ul_gtpu_seq_num: uint16;
dl_pdcp_seq_num: uint16;
ul_pdcp_seq_num: uint16;
};
type RadioPrioritySMS = record {
value: uint8;
};
type RadioPriority = record {
nsapi_radio_priority: uint8;
};
type PacketFlowID = record {
rsv_nsapi: uint8;
packet_flow_id: uint8;
};
type ChargingCharacteristics = record {
value: uint16;
};
type TraceReference = record {
value: uint16;
};
type TraceType = record {
value: uint16;
};
type MS_Not_Reachable_Reason = record {
value: uint8;
};
type ChargingID = record {
value: uint32;
};
type EndUserAddr(n: uint16) = record {
spare_pdp_type_org: uint8;
pdp_type_num: uint8;
pdp_addr: bytestring &length=(n-2);
} &let {
pdp_type_org: uint8 = spare_pdp_type_org & 0x0f;
};
type MM_Ctx(n: uint16) = record {
spare_cksn_ksi: uint8;
security_params: uint8;
keys: case gsm_keys of {
true -> kc: uint64;
false -> ck_ik: bytestring &length=32;
};
vector_len: case have_triplets of {
true -> no_quint_len: empty;
false -> quint_len: uint16;
};
vectors: case have_triplets of {
true -> triplets: AuthN_Triplet[num_vectors];
false -> quintuplets: AuthN_Quintuplet(quint_len)[num_vectors];
} &requires(num_vectors);
drx_param: uint16;
ms_net_capability_len: uint8;
ms_net_capability: bytestring &length=ms_net_capability_len;
container_len: uint16;
container: bytestring &length=container_len;
} &let {
security_mode: uint8 = security_params >> 6;
gsm_keys: bool = security_mode & 0x01;
have_triplets: bool = (security_mode == 1);
num_vectors: uint8 = (security_params & 0x38) >> 3;
};
type PDP_Ctx(n: uint16) = record {
rsv_nsapi: uint8;
xxxx_sapi: uint8;
qos_sub_len: uint8;
qos_sub: QoS_Profile(qos_sub_len);
qos_req_len: uint8;
qos_req: QoS_Profile(qos_req_len);
qos_neg_len: uint8;
qos_neg: QoS_Profile(qos_neg_len);
snd: uint16;
snu: uint16;
send_npdu_num: uint8;
recv_npdu_num: uint8;
ul_teid_cp: TEID_ControlPlane;
ul_teid_data1: TEID1;
pdp_ctx_id: uint8;
spare_pdp_type_org: uint8;
pdp_type_num: uint8;
pdp_addr_len: uint8;
pdp_addr: bytestring &length=pdp_addr_len;
ggsn_addr_control_plane_len: uint8;
ggsn_addr_control_plane: bytestring &length=ggsn_addr_control_plane_len;
ggsn_addr_user_traffic_len: uint8;
ggsn_addr_user_traffic: bytestring &length=ggsn_addr_user_traffic_len;
apn_len: uint8;
apn: AP_Name(apn_len);
spare_transaction_id: uint8;
transaction_id: uint8;
};
type AP_Name(n: uint16) = record {
value: bytestring &length=n;
};
type ProtoConfigOpts(n: uint16) = record {
value: bytestring &length=n;
};
type GSN_Addr(n: uint16) = record {
value: bytestring &length=n;
};
type MSISDN(n: uint16) = record {
value: bytestring &length=n;
};
type QoS_Profile(n: uint16) = record {
alloc_retention_priority: uint8;
data: bytestring &length=n-1;
};
type AuthN_Quintuplet(n: uint16) = record {
rand: bytestring &length=16;
xres_len: uint8;
xres: bytestring &length=xres_len;
ck: bytestring &length=16;
ik: bytestring &length=16;
autn_len: uint8;
autn: bytestring &length=autn_len;
};
type TrafficFlowTemplate(n: uint16) = record {
value: bytestring &length=n;
};
type TargetID(n: uint16) = record {
value: bytestring &length=n;
};
type UTRAN_TransparentContainer(n: uint16) = record {
value: bytestring &length=n;
};
type RAB_SetupInfo(n: uint16) = record {
xxxx_nsapi: uint8;
have_teid: case n of {
1 -> no_teid: empty;
default -> teid: TEID1;
};
have_addr: case n of {
1 -> no_addr: empty;
default -> rnc_addr: bytestring &length=n-5;
};
};
type ExtHdrTypeList(n: uint16) = record {
value: uint8[n];
};
type TriggerID(n: uint16) = record {
value: bytestring &length=n;
};
type OMC_ID(n: uint16) = record {
value: bytestring &length=n;
};
type ChargingGatewayAddr(n: uint16) = record {
value: bytestring &length=n;
};
type PrivateExt(n: uint16) = record {
id: uint16;
value: bytestring &length=n-2;
};
function Get_IE_Len(t: uint8): uint16 =
case t of {
TYPE_CAUSE -> 1;
TYPE_IMSI -> 8;
TYPE_RAI -> 6;
TYPE_TLLI -> 4;
TYPE_P_TMSI -> 4;
TYPE_REORDER_REQ -> 1;
TYPE_AUTHN_TRIPLET -> 28;
TYPE_MAP_CAUSE -> 1;
TYPE_P_TMSI_SIG -> 3;
TYPE_MS_VALID -> 1;
TYPE_RECOVERY -> 1;
TYPE_SELECTION_MODE -> 1;
TYPE_TEID1 -> 4;
TYPE_TEID_CONTROL_PLANE -> 4;
TYPE_TEID2 -> 5;
TYPE_TEARDOWN_IND -> 1;
TYPE_NSAPI -> 1;
TYPE_RANAP_CAUSE -> 1;
TYPE_RAB_CTX -> 9;
TYPE_RADIO_PRIORITY_SMS -> 1;
TYPE_RADIO_PRIORITY -> 1;
TYPE_PACKET_FLOW_ID -> 2;
TYPE_CHARGING_CHARACTERISTICS -> 2;
TYPE_TRACE_REFERENCE -> 2;
TYPE_TRACE_TYPE -> 2;
TYPE_MS_NOT_REACHABLE_REASON -> 1;
TYPE_CHARGING_ID -> 4;
};

18
src/packet_analysis/protocol/gtpv1/gtpv1.pac Normal file
View file

@ -0,0 +1,18 @@
%include binpac.pac
%include zeek.pac
%extern{
#include "zeek/IP.h"
#include "zeek/TunnelEncapsulation.h"
#include "zeek/Reporter.h"
#include "zeek/packet_analysis/protocol/gtpv1/events.bif.h"
%}
analyzer GTPv1 withcontext {
connection: GTPv1_Conn;
flow: GTPv1_Flow;
};
%include gtpv1-protocol.pac
%include gtpv1-analyzer.pac

1
src/zeek.pac
View file

@ -3,6 +3,7 @@
%} %}
extern type ZeekAnalyzer; extern type ZeekAnalyzer;
extern type ZeekPacketAnalyzer;
extern type ZeekVal; extern type ZeekVal;
extern type ZeekPortVal; extern type ZeekPortVal;
extern type ZeekStringVal; extern type ZeekStringVal;

2
testing/btest/Baseline/core.tunnels.gtp.non_recursive/out
View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [\x80\xe1Bc.\xe20\xebn\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80...] protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP

2
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string #types time string addr port addr port enum string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [0\\xff\\x00\\xac\\x98\\x13\\x01LE\\x00\\x05\\xc8G\\xea@\\x00\\x80\\x06\\xb6\\x83\\x0a\\x83w&\\xd9\\x14\\x9c\\x04\\xd9\\xc2\\x00P\\xddh\\xb4\\x8f41eV...] XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

5
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
View file

@ -76,6 +76,9 @@ scripts/base/init-bare.zeek
scripts/base/packet-protocols/teredo/__load__.zeek scripts/base/packet-protocols/teredo/__load__.zeek
scripts/base/packet-protocols/teredo/main.zeek scripts/base/packet-protocols/teredo/main.zeek
build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek
scripts/base/packet-protocols/gtpv1/__load__.zeek
scripts/base/packet-protocols/gtpv1/main.zeek
build/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
scripts/base/init-frameworks-and-bifs.zeek scripts/base/init-frameworks-and-bifs.zeek
scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/__load__.zeek
scripts/base/frameworks/logging/main.zeek scripts/base/frameworks/logging/main.zeek
@ -137,7 +140,6 @@ scripts/base/init-frameworks-and-bifs.zeek
build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek
build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek
@ -220,6 +222,7 @@ scripts/base/init-frameworks-and-bifs.zeek
build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek

5
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -76,6 +76,9 @@ scripts/base/init-bare.zeek
scripts/base/packet-protocols/teredo/__load__.zeek scripts/base/packet-protocols/teredo/__load__.zeek
scripts/base/packet-protocols/teredo/main.zeek scripts/base/packet-protocols/teredo/main.zeek
build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek
scripts/base/packet-protocols/gtpv1/__load__.zeek
scripts/base/packet-protocols/gtpv1/main.zeek
build/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
scripts/base/init-frameworks-and-bifs.zeek scripts/base/init-frameworks-and-bifs.zeek
scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/__load__.zeek
scripts/base/frameworks/logging/main.zeek scripts/base/frameworks/logging/main.zeek
@ -137,7 +140,6 @@ scripts/base/init-frameworks-and-bifs.zeek
build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek
build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek
@ -220,6 +222,7 @@ scripts/base/init-frameworks-and-bifs.zeek
build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek

60
testing/btest/Baseline/plugins.hooks/output
View file

@ -14,8 +14,6 @@
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <no result>
@ -76,8 +74,6 @@
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <no result>
@ -129,7 +125,6 @@
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp})) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp})) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6666<...>/tcp})) -> <no result> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6666<...>/tcp})) -> <no result>
@ -577,10 +572,13 @@
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@ -631,6 +629,8 @@
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
@ -646,6 +646,7 @@
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
0.000000 MetaHookPost CallFunction(PacketFilter::build, <frame>, ()) -> <no result> 0.000000 MetaHookPost CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@ -677,6 +678,8 @@
0.000000 MetaHookPost CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result> 0.000000 MetaHookPost CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
0.000000 MetaHookPost CallFunction(global_ids, <frame>, ()) -> <no result> 0.000000 MetaHookPost CallFunction(global_ids, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(network_time, <frame>, ()) -> <no result> 0.000000 MetaHookPost CallFunction(network_time, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (2123/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (2152/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (3544/udp)) -> <no result> 0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (3544/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (4789/udp)) -> <no result> 0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (4789/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result> 0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
@ -720,6 +723,7 @@
0.000000 MetaHookPost LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> -1
@ -922,6 +926,7 @@
0.000000 MetaHookPost LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, base/packet-protocols, <...>/packet-protocols) -> -1 0.000000 MetaHookPost LoadFile(0, base/packet-protocols, <...>/packet-protocols) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> -1
@ -963,6 +968,7 @@
0.000000 MetaHookPost LoadFile(0, base<...>/geneve, <...>/geneve) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/geneve, <...>/geneve) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/gre, <...>/gre) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/gre, <...>/gre) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/gtpv1, <...>/gtpv1) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/hash, <...>/hash) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/hash, <...>/hash) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/http, <...>/http) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/http, <...>/http) -> -1
@ -1094,6 +1100,7 @@
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> (-1, <no content>)
@ -1296,6 +1303,7 @@
0.000000 MetaHookPost LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, <no content>)
@ -1337,6 +1345,7 @@
0.000000 MetaHookPost LoadFileExtended(0, base<...>/geneve, <...>/geneve) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/geneve, <...>/geneve) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/gre, <...>/gre) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/gre, <...>/gre) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/gtpv1, <...>/gtpv1) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/hash, <...>/hash) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/hash, <...>/hash) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> (-1, <no content>)
0.000000 MetaHookPost LoadFileExtended(0, base<...>/http, <...>/http) -> (-1, <no content>) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/http, <...>/http) -> (-1, <no content>)
@ -1459,8 +1468,6 @@
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp))
@ -1521,8 +1528,6 @@
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp))
@ -1574,7 +1579,6 @@
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6666<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6666<...>/tcp}))
@ -2022,10 +2026,13 @@
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp}))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp}))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
@ -2076,6 +2083,8 @@
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
@ -2091,6 +2100,7 @@
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO))
0.000000 MetaHookPre CallFunction(PacketFilter::build, <frame>, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, <frame>, ())
0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@ -2122,6 +2132,8 @@
0.000000 MetaHookPre CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) 0.000000 MetaHookPre CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
0.000000 MetaHookPre CallFunction(global_ids, <frame>, ()) 0.000000 MetaHookPre CallFunction(global_ids, <frame>, ())
0.000000 MetaHookPre CallFunction(network_time, <frame>, ()) 0.000000 MetaHookPre CallFunction(network_time, <frame>, ())
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (2123/udp))
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (2152/udp))
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (3544/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (3544/udp))
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (4789/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (4789/udp))
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (5072/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (5072/udp))
@ -2165,6 +2177,7 @@
0.000000 MetaHookPre LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
0.000000 MetaHookPre LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
0.000000 MetaHookPre LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
0.000000 MetaHookPre LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
0.000000 MetaHookPre LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek)
0.000000 MetaHookPre LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek)
0.000000 MetaHookPre LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek)
@ -2367,6 +2380,7 @@
0.000000 MetaHookPre LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) 0.000000 MetaHookPre LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
0.000000 MetaHookPre LoadFile(0, base/packet-protocols, <...>/packet-protocols) 0.000000 MetaHookPre LoadFile(0, base/packet-protocols, <...>/packet-protocols)
0.000000 MetaHookPre LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek)
0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
@ -2408,6 +2422,7 @@
0.000000 MetaHookPre LoadFile(0, base<...>/geneve, <...>/geneve) 0.000000 MetaHookPre LoadFile(0, base<...>/geneve, <...>/geneve)
0.000000 MetaHookPre LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
0.000000 MetaHookPre LoadFile(0, base<...>/gre, <...>/gre) 0.000000 MetaHookPre LoadFile(0, base<...>/gre, <...>/gre)
0.000000 MetaHookPre LoadFile(0, base<...>/gtpv1, <...>/gtpv1)
0.000000 MetaHookPre LoadFile(0, base<...>/hash, <...>/hash) 0.000000 MetaHookPre LoadFile(0, base<...>/hash, <...>/hash)
0.000000 MetaHookPre LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek)
0.000000 MetaHookPre LoadFile(0, base<...>/http, <...>/http) 0.000000 MetaHookPre LoadFile(0, base<...>/http, <...>/http)
@ -2539,6 +2554,7 @@
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek)
@ -2741,6 +2757,7 @@
0.000000 MetaHookPre LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
0.000000 MetaHookPre LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) 0.000000 MetaHookPre LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
@ -2782,6 +2799,7 @@
0.000000 MetaHookPre LoadFileExtended(0, base<...>/geneve, <...>/geneve) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/geneve, <...>/geneve)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/gre, <...>/gre) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/gre, <...>/gre)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/gtpv1, <...>/gtpv1)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/hash, <...>/hash) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/hash, <...>/hash)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek)
0.000000 MetaHookPre LoadFileExtended(0, base<...>/http, <...>/http) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/http, <...>/http)
@ -2904,8 +2922,6 @@
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
@ -2966,8 +2982,6 @@
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
@ -3019,7 +3033,6 @@
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6666<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6666<...>/tcp})
@ -3466,10 +3479,13 @@
0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)
0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp)
0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp)
0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)
0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)
0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})
0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp})
0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})
0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
@ -3520,6 +3536,8 @@
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
@ -3535,6 +3553,7 @@
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA) 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)
0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)
0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO) 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)
0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::build()
0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@ -3566,6 +3585,8 @@
0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS) 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
0.000000 | HookCallFunction global_ids() 0.000000 | HookCallFunction global_ids()
0.000000 | HookCallFunction network_time() 0.000000 | HookCallFunction network_time()
0.000000 | HookCallFunction port_to_count(2123/udp)
0.000000 | HookCallFunction port_to_count(2152/udp)
0.000000 | HookCallFunction port_to_count(3544/udp) 0.000000 | HookCallFunction port_to_count(3544/udp)
0.000000 | HookCallFunction port_to_count(4789/udp) 0.000000 | HookCallFunction port_to_count(4789/udp)
0.000000 | HookCallFunction port_to_count(5072/udp) 0.000000 | HookCallFunction port_to_count(5072/udp)
@ -3609,6 +3630,7 @@
0.000000 | HookLoadFile ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
0.000000 | HookLoadFile ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
0.000000 | HookLoadFile ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
0.000000 | HookLoadFile ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
0.000000 | HookLoadFile ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek
0.000000 | HookLoadFile ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek
0.000000 | HookLoadFile ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek
@ -3823,6 +3845,7 @@
0.000000 | HookLoadFile base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek 0.000000 | HookLoadFile base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
0.000000 | HookLoadFile base/packet-protocols <...>/packet-protocols 0.000000 | HookLoadFile base/packet-protocols <...>/packet-protocols
0.000000 | HookLoadFile base<...>/CPP-load.bif <...>/CPP-load.bif.zeek 0.000000 | HookLoadFile base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
0.000000 | HookLoadFile base<...>/Zeek_GTPv1.functions.bif <...>/Zeek_GTPv1.functions.bif.zeek
0.000000 | HookLoadFile base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek 0.000000 | HookLoadFile base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
0.000000 | HookLoadFile base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek 0.000000 | HookLoadFile base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
0.000000 | HookLoadFile base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek 0.000000 | HookLoadFile base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
@ -3864,6 +3887,7 @@
0.000000 | HookLoadFile base<...>/geneve <...>/geneve 0.000000 | HookLoadFile base<...>/geneve <...>/geneve
0.000000 | HookLoadFile base<...>/geoip-distance <...>/geoip-distance.zeek 0.000000 | HookLoadFile base<...>/geoip-distance <...>/geoip-distance.zeek
0.000000 | HookLoadFile base<...>/gre <...>/gre 0.000000 | HookLoadFile base<...>/gre <...>/gre
0.000000 | HookLoadFile base<...>/gtpv1 <...>/gtpv1
0.000000 | HookLoadFile base<...>/hash <...>/hash 0.000000 | HookLoadFile base<...>/hash <...>/hash
0.000000 | HookLoadFile base<...>/hash_hrw <...>/hash_hrw.zeek 0.000000 | HookLoadFile base<...>/hash_hrw <...>/hash_hrw.zeek
0.000000 | HookLoadFile base<...>/http <...>/http 0.000000 | HookLoadFile base<...>/http <...>/http
@ -3983,6 +4007,7 @@
0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
0.000000 | HookLoadFileExtended ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
0.000000 | HookLoadFileExtended ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek
0.000000 | HookLoadFileExtended ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek
0.000000 | HookLoadFileExtended ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek
@ -4197,6 +4222,7 @@
0.000000 | HookLoadFileExtended base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek 0.000000 | HookLoadFileExtended base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
0.000000 | HookLoadFileExtended base/packet-protocols <...>/packet-protocols 0.000000 | HookLoadFileExtended base/packet-protocols <...>/packet-protocols
0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek 0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
0.000000 | HookLoadFileExtended base<...>/Zeek_GTPv1.functions.bif <...>/Zeek_GTPv1.functions.bif.zeek
0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek 0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek 0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
0.000000 | HookLoadFileExtended base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek 0.000000 | HookLoadFileExtended base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
@ -4238,6 +4264,7 @@
0.000000 | HookLoadFileExtended base<...>/geneve <...>/geneve 0.000000 | HookLoadFileExtended base<...>/geneve <...>/geneve
0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek 0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek
0.000000 | HookLoadFileExtended base<...>/gre <...>/gre 0.000000 | HookLoadFileExtended base<...>/gre <...>/gre
0.000000 | HookLoadFileExtended base<...>/gtpv1 <...>/gtpv1
0.000000 | HookLoadFileExtended base<...>/hash <...>/hash 0.000000 | HookLoadFileExtended base<...>/hash <...>/hash
0.000000 | HookLoadFileExtended base<...>/hash_hrw <...>/hash_hrw.zeek 0.000000 | HookLoadFileExtended base<...>/hash_hrw <...>/hash_hrw.zeek
0.000000 | HookLoadFileExtended base<...>/http <...>/http 0.000000 | HookLoadFileExtended base<...>/http <...>/http
@ -4806,6 +4833,7 @@ XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(HTTP::get_file_handle, <frame>, (
XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)) -> <no result> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)) -> <no result>
XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(PacketAnalyzer::GTPV1::remove_gtpv1_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
@ -4844,6 +4872,7 @@ XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(HTTP::get_file_handle, <frame>, (
XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG))
XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(PacketAnalyzer::GTPV1::remove_gtpv1_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
@ -4883,6 +4912,7 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.2
XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]) XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG) XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)
XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]) XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::GTPV1::remove_gtpv1_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::TEREDO::remove_teredo_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]) XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::TEREDO::remove_teredo_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]) XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])

2
testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
View file

@ -1,5 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|Analyzer::all_registered_ports()|, 4 |Analyzer::all_registered_ports()|, 5
signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
ftp_request 141.142.220.235:50003 - USER anonymous ftp_request 141.142.220.235:50003 - USER anonymous

2
testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
View file

@ -1,5 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|Analyzer::all_registered_ports()|, 4 |Analyzer::all_registered_ports()|, 5
signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous

2
testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|Analyzer::all_registered_ports()|, 4 |Analyzer::all_registered_ports()|, 5

2
testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|Analyzer::all_registered_ports()|, 4 |Analyzer::all_registered_ports()|, 5