VRRP/CARP Packet Analyser


In my weird.log, I’ve noticed unknown_protocol_112 showing up regularly for me. I believe this to be the Virtual Router Redundancy Protocol (VRRP), which does match up with CARP that’s enabled on our OpenBSD firewalls.

Before I start looking further, has anyone built a parser for Zeek already? If not, I’ll start reading the protocol spec and seeing if I’m able to write one. I believe it to be useful to have the protocol analyzed for noticing any anomalies, etc.


I haven't heard of anyone working on this fwiw. Feel free to reach out again if you need help with anything!