Extract IP Header Options

Justin_Mullins · April 4, 2019, 8:45pm

Hi,

I was wondering is there an existing way in Zeek to log IP Header Options? The conn log has a lot of the IP Header fields but not the IP Header “Options” field data. Specifically looking at logging data related to CIPSO packet labeling (reference: https://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01).

If not, can anyone point me to a decent example of a bro script logging similar data from the IP Header? (it’s been quite a few years since I’ve looked at bro scripts and I haven’t found any examples doing something similar to what I want)

Thank guys any information you can provide would be helpful!

Jon_Siwek · April 4, 2019, 11:19pm

Doesn't look like it, but you can try hacking it in. For example, add
the Options data as a field to the ip4_hdr record:

https://github.com/zeek/zeek/blob/3f7bbf2784d094787e6c7cb32adb0fc658fb8a86/scripts/base/init-bare.bro#L1515-L1524

Add code to populate it here:

https://github.com/zeek/zeek/blob/3f7bbf2784d094787e6c7cb32adb0fc658fb8a86/src/IP.cc#L311-L322

Then consume the data via a new_packet event handler:

https://docs.zeek.org/en/latest/scripts/base/bif/event.bif.bro.html#id-new_packet

- Jon

Topic		Replies	Views
Analysing a pcap using zeek Zeek zeekinaction , zeekweek	1	370	August 13, 2022
MAC Address In Logs Zeek	9	896	May 6, 2022
Want output all http logs Zeek development	3	370	June 26, 2023
Zeek/Bro DNS log missing type Zeek	4	122	May 6, 2022
How to add process field to conn.log? Development	2	421	January 5, 2023

Extract IP Header Options

Related topics