Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 23:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
zeek/doc/scripts/base/protocols/conn/index.rst
Tim Wojtulewicz ded98cd373 Copy docs into Zeek repo directly 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
2025-09-26 02:58:29 +00:00

62 lines
2.6 KiB
ReStructuredText
Raw Permalink Blame History

:orphan:
Package: base/protocols/conn
============================
Support for connection (TCP, UDP, or ICMP) analysis.
:doc:`/scripts/base/protocols/conn/removal-hooks.zeek`
Adds a framework for registering "connection removal hooks".
All registered hooks for a given connection get run within the
:zeek:see:`connection_state_remove` event for that connection.
This functionality is useful from a performance/scaling concern:
if every new protocol-analysis script uses
:zeek:see:`connection_state_remove` to implement its finalization/cleanup
logic, then all connections take the performance hit of dispatching that
event, even if they aren't related to that specific protocol.
:doc:`/scripts/base/protocols/conn/__load__.zeek`
:doc:`/scripts/base/protocols/conn/main.zeek`
This script manages the tracking/logging of general information regarding
TCP, UDP, and ICMP traffic. For UDP and ICMP, "connections" are to
be interpreted using flow semantics (sequence of packets from a source
host/port to a destination host/port). Further, ICMP "ports" are to
be interpreted as the source port meaning the ICMP message type and
the destination port being the ICMP message code.
:doc:`/scripts/base/protocols/conn/contents.zeek`
This script can be used to extract either the originator's data or the
responders data or both. By default nothing is extracted, and in order
to actually extract data the ``c$extract_orig`` and/or the
``c$extract_resp`` variable must be set to ``T``. One way to achieve this
would be to handle the :zeek:id:`connection_established` event elsewhere
and set the ``extract_orig`` and ``extract_resp`` options there.
However, there may be trouble with the timing due to event queue delay.
.. note::
This script does not work well in a cluster context unless it has a
remotely mounted disk to write the content files to.
:doc:`/scripts/base/protocols/conn/inactivity.zeek`
Adjust the inactivity timeouts for interactive services which could
very possibly have long delays between packets.
:doc:`/scripts/base/protocols/conn/polling.zeek`
Implements a generic way to poll connections looking for certain features
(e.g. monitor bytes transferred). The specific feature of a connection
to look for, the polling interval, and the code to execute if the feature
is found are all controlled by user-defined callback functions.
:doc:`/scripts/base/protocols/conn/thresholds.zeek`
Implements a generic API to throw events when a connection crosses a
fixed threshold of bytes or packets.
Reference in a new issue View git blame Copy permalink