The tcp_contents event was triggerred succesfully on try zeek website but reported errors locally

mchen · March 22, 2023, 3:58am

Hello,

I’m attempting to retrieve TCP payloads through the “tcp_contents” event, and I tried a simple demo script as below.

# Redefine tcp_content_deliver_all_orig/resp to deliver all requests/responses
redef tcp_content_deliver_all_orig = T;
redef tcp_content_deliver_all_resp = T;

event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string)
    {
    local end_point = is_orig ? "originator" : "responder";
    print fmt("TCP contents of connection %s (%s):", c$uid, end_point);
    print contents;
    }

The script ran successfully on the https://try.bro.org website with Zeek version 5.1.0 and the exercise_traffic.pcap file.

However, when I tried to run the same script locally using the command zeek -r sample.pcap demo.zeek, I received errors from Zeek as follows:

error in ./demo.zeek, line 33 and /home/zeek/Workspace/zeek-5.2.0-rc2/share/zeek/base/bif/plugins/./Zeek_TCP.events.bif.zeek, line 319: use of undeclared alternate prototype (event(c:connection; is_orig:bool; contents:string;) and tcp_contents)

I suspect that the use of undeclared alternate prototype error indicating the script requires some other dependent scripts to be loaded. I have tried to load some, but without success. I do not know the exact command that was run on the try.zeek website, so I wonder if could help to point out what the errors are.

Thank you!

Benjamin_Bannier · March 22, 2023, 6:49am

Could you share the code you are actually running? The error message mentions an error on line 33 of demo.zeek while the snippet you posted has only 10 lines.

I suspect on line 33 in your actual file you use some other signature for tcp_contents since the error message mentions

event(c:connection; is_orig:bool; contents:string)

while tcp_contents in base/bif/plugins/Zeek_TCP.events.bif.zeek and the implementation you used in above snippet both have the signature

event(c: connection, is_orig: bool, seq: count, contents: string)

mchen · March 22, 2023, 10:06am

Thanks for letting me know! I double-checked and realized that the demo script I tried online was actually right, just like you mentioned. However, when tried to run it locally, I must have mistakenly typed the event’s signature. Your help is greatly appreciated!

Topic		Replies	Views
zeek performance with some events activated Zeek	4	70	May 6, 2022
Method to detect tcp urgent flag Zeek	1	95	May 6, 2022
Some wrong in "ssl.og" Zeek	2	190	August 15, 2023
Zeek script to look for first few packets Zeek	3	171	May 6, 2022
"Error: alternate function prototype already exists" for custom event Zeek development	4	333	August 2, 2022

The tcp_contents event was triggerred succesfully on try zeek website but reported errors locally

Related Topics