Analysing a pcap using zeek

prajwalShavi · August 5, 2022, 11:55am

Hello!

I am trying to analyze a pcap file in which I want to retrieve all the source IP and destination IP and also want to add two fields which says that the source IP and destination IP belongs to which class.

I’m able to create a new log file named “origs” that has “ts”, “id.orig_h”,“id.resp_h”. How can I add new fields to the same log file.

Below is the pseudo-code.

event zeek_init()
{
    # Add a new filter to the Conn::LOG stream that logs only
    local filter: Log::Filter = [$name="orig-only", $path="origs",
                                 $include=set("ts", "id.orig_h","id.resp_h")];
    
    Log::add_filter(Conn::LOG, filter);
}

Please help me…

JustinAzoff · August 13, 2022, 10:53pm

HI,

You can add fields to a log by redef’ing the log record type. See here: Logging Framework — Book of Zeek (git/master)

That example is for extending the conn log and is exactly what you are looking to do.

Topic		Replies	Views
Filtering help Zeek	11	1015	May 6, 2022
How to add process field to conn.log? Development	2	421	January 5, 2023
Zeek conn.log questions Zeek	2	363	May 6, 2022
How to enrich conn logs through a CSV file？ Zeek training	2	378	November 30, 2023
Extract IP Header Options Zeek	2	84	May 6, 2022

Analysing a pcap using zeek

Related topics