Hello,
I wonder if Zeek has the capability to selectively dump packets to pcaps that are associated with specific TCP/UDP connections during a live analysis.
I’m aware that Zeek offers the -w option to dump packets being analyzed to pcap. However, we are not interested in dumping all packets, but only those from certain connections.
Here are some related discussions I found:
- Is it possible to extract the pcap from connection? · Issue #2073 · zeek/zeek · GitHub
- dump_packet and dump_current_packet ignores file name
- Dump all analyzed traffic to pcap files · Issue #1486 · zeek/zeek · GitHub
- Extracting packets from a particular connection
From what I can gather, there seem to be two possible solutions:
- Zeek provides the dump_packet functions. My assumption is that if I can extract the pcap_packet type from a
connunder a Zeek script, I can then dump all packets associated with that connection by calling this function. - The second option involves the set_record_packets function, also mentioned in this post. It states:
Controls whether packet contents belonging to a connection should be recorded (when
-woption is provided on the command line).
Thus, as I understand it, set_record_packets controls whether packets are dumped or not in conjunction with the -w option. If it’s set to false, Zeek won’t dump packets even with the -w option. Only if it’s set to true will Zeek dump the corresponding packets.
And since the function takes cid: conn_id as an argument, if I provide a specific conn id, Zeek will dump all packets of that connection when the -w option is used.
I also have a third question related to the lifespan of a packet’s raw data. According to the Packet.h source code, the raw data of a packet is stored in the data field of the Packet class:
// These are passed in through the constructor.
// ...
const u_char* data = nullptr; /// Packet data.
However, when Zeek is about to process the next packet, it initializes the Packet instance:
void Packet::Init(int arg_link_type, pkt_timeval* arg_ts, uint32_t arg_caplen, uint32_t arg_len,
const u_char* arg_data, bool arg_copy, std::string arg_tag)
{
if ( data && copy )
delete[] data;
...
During this initialization, it seems to first delete the raw data of the previous packet. Therefore, it appears to me that the raw data of a packet is freed when Zeek is about to process the next packet, which would make the time window for dumping a packet from a connection quite short.
I’m not certain if my understanding is accurate, or if Zeek retains the raw data of packets for a particular connection until the entire connection has been processed, for example only when the connection_state_remove event had been triggered.
Thank you for your time and assistance.