Zeek traffic capture on loopback ip

Hello Awelzel, i have done so much with your massive input.
Just like i have earlier said, i am doing this for the purpose of school project.
But, I am already in love with DPI.
I would like to seek some professional input from this group on a research project I am presently working on at the University.
See details of what i have done, and where i am at the moment.
I am working on Deep Packet Inspection of security protocols Using Zeek.
The Protocols are automatically generated by Anbx compiler through Eclipse.
when i run the AnBx compiler, i used Wireshark to capture the traffic generated and in-turn saved this pcapng file. I am using zeek to analyse the pcapng file with zeek -r
I do not have any error returned but i don’t find the analysis in the zeek logs. I have tried to move the pcapng file into my container tmp, yet same issue.

I want to achieve two things;

  1. either to capture the traffic of the Anbx compiler running’ or
  2. to analyze the pcapng file and see the log file.

I want the analyses to show me elements of the messages in the AnBx compiler, and show me the security protocols in the messages.

Please, i need someone to help out on this.

Hi there,

can you share the pcap, or say what protocols you’re expecting to see in the logs? If you’ve built a custom protocol, Zeek cannot analyze it since it won’t have a parser for it.


Hi Christian,
This platform is not allowing me to upload the pcapng file.
I am expecting to see some security protocols and elements of messages exchanged.
Also find below, some of the example done .

root@719a860babcd:~# zeek -r …/tmp/Wireshark\ capture/23032023SSLTLSHTTP.pcapng
root@719a860babcd:~# ls -al
total 52
drwx------ 1 root root 4096 Apr 12 19:48 .
drwxr-xr-x 1 root root 4096 Apr 12 20:35 …
-rw------- 1 root root 2516 Apr 12 17:58 .bash_history
-rw-r–r-- 1 root root 571 Apr 10 2021 .bashrc
drwxr-xr-x 3 root root 4096 Apr 12 09:53 .local
-rw-r–r-- 1 root root 161 Jul 9 2019 .profile
-rw-r–r-- 1 root root 2015 Apr 12 20:48 conn.log
drwxr-xr-x 2 root root 4096 Apr 12 19:37 default
-rw-r–r-- 1 root root 214 Apr 12 20:48 dpd.log
drwxr-xr-x 2 root root 4096 Apr 12 19:37 json
drwxr-xr-x 11 root root 4096 Apr 12 18:05 msticpy
-rw-r–r-- 1 root root 254 Apr 13 04:41 packet_filter.log
-rw-r–r-- 1 root root 604 Apr 13 04:41 weird.log


This platform is not allowing me to upload the pcapng file.

Ah — thanks for flagging. I’ve tweaked the configuration to allow .pcap and .pcapng files, but note that anything larger than 8MB won’t be accepted.

Almost certainly your security protocol isn’t recognizable to Zeek. You could write a Spicy parser for it. :slight_smile:


Hi Christian,
Here is the pcapng file attached
12042023222222.pcapng (18.7 KB)
23032023SSLTLSHTTP.pcapng (24.7 KB)

These are the two pcapng files i want to analyse.


Here, I attached another pcapng file.
13042023capture.pcapng (1.7 MB)


Thanks! Yep, no recognizable TCP payload in those pcaps — including in Wireshark.