Zeek conn.log questions

Hello.

I’m currently developing a ‘protocol analyzer plugin’ for Zeek.

When I feed a pcap file to the plugin for testing, the UDP packets that are captured by the plugin
(and logged by the plugin)
do ‘not’ appear in the Zeek “conn.log” log file.

(I do see other UDP based entries in the conn.log file…mostly for DNS queries…but not for my plugin’s
protocol.
Any ideas on how to log ‘all’ TCP/IP and UDP traffic in the conn.log file?
I’m also analyzing the pcap file with Wireshark…so I know what packets I ‘should’ see. Thanks!)

2nd question.
Is there any way to log/capture which UDP packets Zeek sent to a given ‘protocol analyzer’?

(I’ve got some UDP packets that are not being logged by my plugin. Perhaps an ‘exception’ is occurring
during the protocol analysis? I’ve seen a couple of terse ‘binpac exception’ error messages in the dpg.log log
file.)

3rd question.
Is there any way to log all traffic between a pair of UDP ports? (either in the conn.log or other log file)

Thanks!

Hi Brett,

Hello.

I'm currently developing a 'protocol analyzer plugin' for Zeek.

When I feed a pcap file to the plugin for testing, the UDP packets that are captured by the plugin
(and logged by the plugin)
do 'not' appear in the Zeek "conn.log" log file.

(I do see other UDP based entries in the conn.log file..mostly for DNS queries..but not for my plugin's
protocol.
Any ideas on how to log 'all' TCP/IP and UDP traffic in the conn.log file?
I'm also analyzing the pcap file with Wireshark..so I know what packets I 'should' see. Thanks!)

For UDP flows conn.log should capture all interactions, so most likely there's something else going on. I'm attaching a pcap of a single UDP packet with random data, and you should see it in conn.log.

The conn.log entries get written at the end of a flow's state lifetime in Zeek, so one reason that comes to mind is that your analyzer processes and logs things immediately, while for conn.log things should happen later but don't. If you're using Zeek 3.2+, check whether your pcap is truncated: if conn.log doesn't end with a "#close" tag, that might be the culprit. You can then fix the pcap by filtering it through a "tcpdump -r ... -w ...".

In case your pcap has corrupted checksums you could also try running Zeek with -C, though I suspect that's not the problem here.

There's more discussion of the truncation issue here:

2nd question.
Is there any way to log/capture which UDP packets Zeek sent to a given 'protocol analyzer'?

You can compile Zeek with --enable-debug and run it with "-B dpd", which enables a DPD-specific debugging log stream in debug.log. It traces a lot of DPD's operation.

3rd question.
Is there any way to log all traffic between a pair of UDP ports? (either in the conn.log or other log file)

This should already be happening, so your problem is something else.

Hope this helps,
Christian

udp-random-package.pcap (1.08 KB)