Is it possible to inspect TCP reserved bits with Zeek?

Hi All,

I’m testing Zeek/Bro capabilities in terms of detecting different types of steganography. After working with the ICMP protocol now I am trying to inspect the TCP protocol. I want to detect if the reserved bits in TCP are changed with help of TCP events. Unfortunately without success.

Is it possible to inspect TCP reserved bits with Zeek events? If not is there any other possible way to detect wheter those bits where changed?

Best regards,
Tomasz Koziak

I didn't see any events that currently carry the reserved bits, but it
would be simple to extend existing ones like `new_packet` and
`raw_packet`. You can find an example patch for that in the
`topic/jsiwek/tcp-hdr-reserved-bits` branch here:

Let me know if that works for your purposes and I'll turn it into a
pull request.

- Jon

Hi Jon.

Thank you, it’s working properly.
In the first place, I have modified the TCP_Flags.h to catch those bits, but your solution seems to be better.