Unknown protocol handling in zeek

Hi,
I am trying to print unknown protocol w.r.t zeek protocol analyzer in my script. So, I searched for similar feature in zeek and saw unknown_protocol() event is there. I am using zeek 6.1.1, that event was there. So, I tried with a simple script as below, but zeek is not producing any event for unknown protocol like hart-ip, bsap-ip, omron etc. Is there anything else I am missing while using this feature?

event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)
        {
        local un_info : Unknown_Info;
        un_info$ts = network_time();
        un_info$analyzer = analyzer_name;
        un_info$protocol_id = fmt("0x%x", protocol);
        un_info$protocol_id_num = protocol;
        un_info$first_bytes = bytestring_to_hexstr(first_bytes);

        print "Unknown protocpl dump", un_info;
        Log::write(LOG_UNKNOWN, un_info);
        }

Thanks
Biswa

@awelzel Can you please comment on this?
The requirement is to get event for unknown protocol along with its 5 tuple < srcip,dstip,srcport,dstport,protocol number). It should work independently along with other enabled analyzer.

Hello @biswa61 - the unknown_protocol event is meant for layer 2 / layer 3. If the protocols you mention are all on top of UDP or TCP (is that true for omron?) then unknown_protocol isn’t the event you’re looking for.

If your requirement is to flag unknown application protocols on top of TCP or UDP?

There’s dpd/detect-protocols.zeek which isn’t exactly what you’re looking for, but maybe a starting point?

Yes any protocol may be on layer2 or layer3 (top of tcp/udp), whichever zeek is not able to recognize using inbuilt or custom analyzer, if zeek can log or send notification. The goal is see such packets, having unknown protocol ( 5 tuple), flowing in my network.

Thanks @awelzel for the reply.

Regards
Biswa