117 lines
3.3 KiB
ReStructuredText
117 lines
3.3 KiB
ReStructuredText
:tocdepth: 3
|
|
|
|
base/bif/plugins/Zeek_ARP.events.bif.zeek
|
|
=========================================
|
|
.. zeek:namespace:: GLOBAL
|
|
|
|
|
|
:Namespace: GLOBAL
|
|
|
|
Summary
|
|
~~~~~~~
|
|
Events
|
|
######
|
|
========================================== =====================================================
|
|
:zeek:id:`arp_reply`: :zeek:type:`event` Generated for ARP replies.
|
|
:zeek:id:`arp_request`: :zeek:type:`event` Generated for ARP requests.
|
|
:zeek:id:`bad_arp`: :zeek:type:`event` Generated for ARP packets that Zeek cannot interpret.
|
|
========================================== =====================================================
|
|
|
|
|
|
Detailed Interface
|
|
~~~~~~~~~~~~~~~~~~
|
|
Events
|
|
######
|
|
.. zeek:id:: arp_reply
|
|
:source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 43 43
|
|
|
|
:Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
|
|
|
|
Generated for ARP replies.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
|
|
for more information about the ARP protocol.
|
|
|
|
|
|
:param mac_src: The reply's source MAC address.
|
|
|
|
|
|
:param mac_dst: The reply's destination MAC address.
|
|
|
|
|
|
:param SPA: The sender protocol address.
|
|
|
|
|
|
:param SHA: The sender hardware address.
|
|
|
|
|
|
:param TPA: The target protocol address.
|
|
|
|
|
|
:param THA: The target hardware address.
|
|
|
|
.. zeek:see:: arp_request bad_arp
|
|
|
|
.. zeek:id:: arp_request
|
|
:source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 22 22
|
|
|
|
:Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
|
|
|
|
Generated for ARP requests.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
|
|
for more information about the ARP protocol.
|
|
|
|
|
|
:param mac_src: The request's source MAC address.
|
|
|
|
|
|
:param mac_dst: The request's destination MAC address.
|
|
|
|
|
|
:param SPA: The sender protocol address.
|
|
|
|
|
|
:param SHA: The sender hardware address.
|
|
|
|
|
|
:param TPA: The target protocol address.
|
|
|
|
|
|
:param THA: The target hardware address.
|
|
|
|
.. zeek:see:: arp_reply bad_arp
|
|
|
|
.. zeek:id:: bad_arp
|
|
:source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 66 66
|
|
|
|
:Type: :zeek:type:`event` (SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`, explanation: :zeek:type:`string`)
|
|
|
|
Generated for ARP packets that Zeek cannot interpret. Examples are packets
|
|
with non-standard hardware address formats or hardware addresses that do not
|
|
match the originator of the packet.
|
|
|
|
|
|
:param SPA: The sender protocol address.
|
|
|
|
|
|
:param SHA: The sender hardware address.
|
|
|
|
|
|
:param TPA: The target protocol address.
|
|
|
|
|
|
:param THA: The target hardware address.
|
|
|
|
|
|
:param explanation: A short description of why the ARP packet is considered "bad".
|
|
|
|
.. zeek:see:: arp_reply arp_request
|
|
|
|
.. todo:: Zeek's current default configuration does not activate the protocol
|
|
analyzer that generates this event; the corresponding script has not yet
|
|
been ported. To still enable this event, one needs to
|
|
register a port for it or add a DPD payload signature.
|
|
|
|
|