TCP handshake and TCP analyzers #80
Comments
|
This is true for most/all of Zeek's protocol analyzers, they are generally not capable of starting midstream when they missed the beginning of a connection (because that's not trivial: without the full TCP handshake, it state of the endpoints isn't clear; and without any initial data packets, the parsers first need to understand where in the protocol things are currently and find a point to synchronize themselves with the interaction). Spicy analyzers currently inherit this limitation and ignore content on such partial connections (iirc, there should be a debug message about that as well). That said, there's work on the roadmap to make this possible: The work described in zeek/spicy#23 for error recovery through resynchronization will address this issue as well: when missing initial handshake/data, we'd go right into recovery mode to find a place where to start parsing. |
|
Thanks for the answer! |
Hi all,
while testing my OPC UA grammar on real network data I noticed that prints for debugging purposes (within *.spicy) are only working if the TCP handshake was observed before. So, when I start zeek and analyze network traffic via a mirror stream with already established OPC UA connections, my grammar does not work as expected. With an initial TCP Handshake, it works as expected. The same behavior can be reproduced with the HTTP grammar available here in the repository (augmented by some prints). However, the debug.log indicates that zeek passes the data to spicy (DeliverStream). Is there a solution for this or is it not possible without a previous handshake?
Best regards,
Markus
The text was updated successfully, but these errors were encountered: