mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 07:38:19 +00:00
ded98cd373
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the zeek-docs repo.
71 lines
3.1 KiB
ReStructuredText
71 lines
3.1 KiB
ReStructuredText
:tocdepth: 3
|
|
|
|
base/protocols/conn/contents.zeek
|
|
=================================
|
|
.. zeek:namespace:: Conn
|
|
|
|
This script can be used to extract either the originator's data or the
|
|
responders data or both. By default nothing is extracted, and in order
|
|
to actually extract data the ``c$extract_orig`` and/or the
|
|
``c$extract_resp`` variable must be set to ``T``. One way to achieve this
|
|
would be to handle the :zeek:id:`connection_established` event elsewhere
|
|
and set the ``extract_orig`` and ``extract_resp`` options there.
|
|
However, there may be trouble with the timing due to event queue delay.
|
|
|
|
.. note::
|
|
|
|
This script does not work well in a cluster context unless it has a
|
|
remotely mounted disk to write the content files to.
|
|
|
|
:Namespace: Conn
|
|
:Imports: :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`
|
|
|
|
Summary
|
|
~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
=========================================================================== ==================================================================
|
|
:zeek:id:`Conn::default_extract`: :zeek:type:`bool` :zeek:attr:`&redef` If this variable is set to ``T``, then all contents of all
|
|
connections will be extracted.
|
|
:zeek:id:`Conn::extraction_prefix`: :zeek:type:`string` :zeek:attr:`&redef` The prefix given to files containing extracted connections as they
|
|
are opened on disk.
|
|
=========================================================================== ==================================================================
|
|
|
|
Redefinitions
|
|
#############
|
|
============================================ ==================================================================================================================
|
|
:zeek:type:`connection`: :zeek:type:`record`
|
|
|
|
:New Fields: :zeek:type:`connection`
|
|
|
|
extract_orig: :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Conn::default_extract` :zeek:attr:`&optional`
|
|
|
|
extract_resp: :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Conn::default_extract` :zeek:attr:`&optional`
|
|
============================================ ==================================================================================================================
|
|
|
|
|
|
Detailed Interface
|
|
~~~~~~~~~~~~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
.. zeek:id:: Conn::default_extract
|
|
:source-code: base/protocols/conn/contents.zeek 25 25
|
|
|
|
:Type: :zeek:type:`bool`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``F``
|
|
|
|
If this variable is set to ``T``, then all contents of all
|
|
connections will be extracted.
|
|
|
|
.. zeek:id:: Conn::extraction_prefix
|
|
:source-code: base/protocols/conn/contents.zeek 21 21
|
|
|
|
:Type: :zeek:type:`string`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``"contents"``
|
|
|
|
The prefix given to files containing extracted connections as they
|
|
are opened on disk.
|
|
|
|
|