Packet Analyzer over TCP

Hello Zeek Community,

I’m trying to develop my first plugin using spicy and now I have trouble getting it up and running with zeek.
The protocol is pretty simple. Two hosts are sharing information over an ongoing tcp connection. I realized (when using a protocol analyzer) zeek sticks to the first packet in the connection. So I tried to switch to a packet analyzer.
Using the following function call PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_TCP, <identifier?>, PacketAnalyzer::ANALYZER_SPICY_MYANALYZER) it seems to register. But no event is triggered.

So my questions are:

  1. Is their a solution with a ProtocolAnalyzer?
  2. How to make the PacketAnalyzer work on top of tcp?
  3. What would the identifier in register_packet_analyzer be when using tcp (since tcp does not have a corresponding field)

Thanks in advance. Hope you all have a wonderful day.

Your zeek noob

Could you explain more what you are seeing and what you would have expected? Could it be that you are running into FAQ — Book of Zeek (git/master)?

Packet analyzers have a different role, and if you want to analyze a protocol on top of TCP you probably do want a protocol analyzer.

Hello @Benjamin_Bannier,

thank you for the fast response.

It happened to be a mixture of problems on my site. One part had been solved with the Book of Zeek and the other part was a miscalculation. Once I fixed that everything worked just fine.

Thanks again.

1 Like