Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 15:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/doc/scripts/base/protocols/conn/index.rst
Jon Siwek 7e9d48f532 Remove broxygen Sphinx integration 
The broxygen-generated files now live in the git repo, have tests
that check that they are up-to-date, and a script to re-generate
them on-demand.
2018-12-18 10:15:22 -06:00

51 lines
2 KiB
ReStructuredText
Raw Blame History

:orphan:
Package: base/protocols/conn
============================
Support for connection (TCP, UDP, or ICMP) analysis.
:doc:`/scripts/base/protocols/conn/__load__.bro`
:doc:`/scripts/base/protocols/conn/main.bro`
This script manages the tracking/logging of general information regarding
TCP, UDP, and ICMP traffic. For UDP and ICMP, "connections" are to
be interpreted using flow semantics (sequence of packets from a source
host/port to a destination host/port). Further, ICMP "ports" are to
be interpreted as the source port meaning the ICMP message type and
the destination port being the ICMP message code.
:doc:`/scripts/base/protocols/conn/contents.bro`
This script can be used to extract either the originator's data or the
responders data or both. By default nothing is extracted, and in order
to actually extract data the ``c$extract_orig`` and/or the
``c$extract_resp`` variable must be set to ``T``. One way to achieve this
would be to handle the :bro:id:`connection_established` event elsewhere
and set the ``extract_orig`` and ``extract_resp`` options there.
However, there may be trouble with the timing due to event queue delay.
.. note::
This script does not work well in a cluster context unless it has a
remotely mounted disk to write the content files to.
:doc:`/scripts/base/protocols/conn/inactivity.bro`
Adjust the inactivity timeouts for interactive services which could
very possibly have long delays between packets.
:doc:`/scripts/base/protocols/conn/polling.bro`
Implements a generic way to poll connections looking for certain features
(e.g. monitor bytes transferred). The specific feature of a connection
to look for, the polling interval, and the code to execute if the feature
is found are all controlled by user-defined callback functions.
:doc:`/scripts/base/protocols/conn/thresholds.bro`
Implements a generic API to throw events when a connection crosses a
fixed threshold of bytes or packets.
Reference in a new issue View git blame Copy permalink