Need some best practices about event tcp_options

liuchuang · December 25, 2024, 12:28pm

hi, zeeker

I need to get the data of TCP option (kind == 78) from TCP and write it into the conn log. (f5 inserts the real source IP address into a TCP option. aka TOA)

the normal process is to use event tcp_options to get all pkt options for judgment.

but event tcp_options is expensive. Is there any better way?

or can I disable event tcp_options on this session after got the required data? or let Zeek generate a specific event only when kind==78.

Thank you for your help!

Vern · December 25, 2024, 11:49pm

Unfortunately I don’t believe there’s any better way currently available. If you were up for extending Zeek’s internals, probably the easiest way to go would be to add a new built-in function to extract options for the current packet. If you’re familiar with C++ you could get the gist of how to do this by looking at the implementations of the get_current_packet() BiF and the tcp_options event.

Topic		Replies	Views
zeek performance with some events activated Zeek	4	101	May 6, 2022
Extract IP Header Options Zeek	2	86	May 6, 2022
Help with zeek script Zeek	2	131	May 6, 2022
Method to detect tcp urgent flag Zeek	1	140	May 6, 2022
Missing http events with zeek Zeek	5	33	December 16, 2024

Need some best practices about event tcp_options

Related topics