Zeek::PIA analyzer details

Hello.

Does anyone have any additional documentation for the Zeek::PIA plugin?

What does “PIA” stand for?

There are two plugin instantiations within the plugin code, i.e.
Analyzer::ANALYZER_TCP
Analyzer::ANALYZER_UDP

The plugin’s ‘description’ field says: “Analyzers implementing Dynamic Protocol”

Are these for packet level analysis (i.e. OSI Layer 2 protocols)

Thanks,

Hi Brett,

it stands for “protocol independent analysis” and refers to Zeek’s ability to analyze application-layer protocols on top of TCP/UDP independent of their ports. The PIA is the component that figures out which protocol analyzer to use for a given session.

This is not related to packet level analysis. For that, the upcoming Zeek 4.0 introduces a new notion of “packet analyzers”, see https://docs.zeek.org/en/master/frameworks/packet-analysis.html

Robin