I'm trying to write my first script in Zeek which would allow to make statistics out of TLS packet segments sent and received by client in local network (quantity of packets with same size, list of dest ip by packets sent). Unfortunately, I'm unable to find proper Event or guide which would help me to find a solution for this. May I get an advise of this one?
Asked
Active
Viewed 71 times
1 Answers
0
Zeek has a few packet-level events that might get you started:
- https://docs.zeek.org/en/current/scripts/base/bif/event.bif.zeek.html#id-new_packet
- https://docs.zeek.org/en/current/scripts/base/bif/event.bif.zeek.html#id-raw_packet
- https://docs.zeek.org/en/current/scripts/base/bif/event.bif.zeek.html#id-packet_contents
Note the warning that comes with these events: they incur high per-event overhead since they'll be generated for every packet, so they're most likely not suitable for deployment on live traffic.
Christian
- 1,499
- 2
- 12
- 28