# See the file "COPYING" in the main distribution directory for copyright.
# Copyright (c) 2023, NCC Group / Fox-IT. See COPYING for details.

%doc-id = Zeek::QUIC;
%doc-description = "QUIC analyzer";

protocol analyzer QUIC over UDP:
    parse originator with QUIC::RequestFrame,
    parse responder with QUIC::ResponseFrame;

import QUIC;

on QUIC::InitialPacket -> event QUIC::initial_packet($conn, $is_orig, self.header.version, self.header.dest_conn_id, self.header.src_conn_id);

on QUIC::RetryPacket -> event QUIC::retry_packet($conn, $is_orig, self.header.version, self.header.dest_conn_id, self.header.src_conn_id, self.retry_token, self.integrity_tag);

on QUIC::HandshakePacket -> event QUIC::handshake_packet($conn, $is_orig, self.header.version, self.header.dest_conn_id, self.header.src_conn_id);

on QUIC::ZeroRTTPacket -> event QUIC::zero_rtt_packet($conn, $is_orig, self.header.version, self.header.dest_conn_id, self.header.src_conn_id);

on QUIC::ConnectionClosePayload -> event QUIC::connection_close_frame($conn, $is_orig, self.header.version, self.header.dest_conn_id, self.header.src_conn_id,
                                                                      self.error_code.result_, self.reason_phrase);

on QUIC::UnhandledVersion -> event QUIC::unhandled_version($conn, $is_orig, self.header.version, self.header.dest_conn_id, self.header.src_conn_id);