Skip to content

Latest commit

 

History

History
116 lines (90 loc) · 3.5 KB

README_en.md

File metadata and controls

116 lines (90 loc) · 3.5 KB

Zeek-Parser-CCLinkFieldBasic

Overview

Zeek-Parser-CCLinkFieldBasic is a Zeek plug-in that can analyze CC-Link IE Field Basic of the CC-Link family.

Installation

Installation with Package Manager

This plug-in is provided as a package for Zeek Package Manger.

It can be installed by executing the commands below.

zkg refresh
zkg install zeek-parser-CCLinkFieldBasic

Manual Installation

Before using this plug-in, please make sure Zeek, Spicy has been installed.

# Check Zeek
~$ zeek -version
zeek version 5.0.0

# Check Spicy
~$ spicyz -version
1.3.16
~$ spicyc -version
spicyc v1.5.0 (d0bc6053)

# The path of zeek in this manual is based on the following output
~$ which zeek
/usr/local/zeek/bin/zeek

Use git clone to get a copy of this repository to your local environment.

~$ git clone https://github.com/nttcom/zeek-parser-CCLinkFieldBasic.git

Usage

For installation using a package manager

cclink-ief-basic.log will be generated by the command below:

zeek -Cr /usr/local/zeek/var/lib/zkg/clones/package/zeek-parser-CCLinkFieldBasic/testing/Traces/cclink_ief_basic_only.pcap zeek-parser-CCLinkFieldBasic

For manual installation

Compile source code and copy the object files to the following path.

~$ cd ~/zeek-parser-CCLinkFieldBasic/analyzer
~$ spicyz -o cc_link_basic.hlto cc_link_basic.spicy cc_link_basic.evt
~$ # cc_link_basic.hltoが生成されます
~$ cp cc_link_basic.hlto /usr/local/zeek/lib/zeek-spicy/modules/

Then, copy the zeek file to the following paths.

~$ cd ~/zeek-parser-CCLinkFieldBasic/scripts/
~$ cp main.zeek /usr/local/zeek/share/zeek/site/cc_link_basic.zeek

Finally, import the Zeek plugin.

~$ tail /usr/local/zeek/share/zeek/site/local.zeek
... Omit ...
@load cc_link_basic

This plug-in generates a cclink-ief-basic.log by the command below:

~$ cd ~/zeek-parser-CCLinkFieldBasic/testing/Traces
~$ zeek -Cr cclink_ief_basic_only.pcap /usr/local/zeek/share/zeek/site/cc_link_basic.zeek

Log type and description

This plug-in monitors all functions of mydhcp and outputs them as cclink-ief-basic.log.

Field Type Description
ts time timestamp of the first communication
uid string unique ID for this connection
id.orig_h addr source IP address
id.orig_p port source port number
id.resp_h addr destination IP address
id.resp_p port destination port number
pdu string protocol function name
cmd string cyclic or -
number int number of packet occurrence
ts_end time timestamp of the last communication

An example of cclink-ief-basic.log is as follows:

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   cclink-ief-basic
#open   2023-05-27-00-52-06
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       pdu     cmd     number  ts_end
#types  time    string  addr    port    addr    port    string  string  int     time
1655284124.953994       CIAp8bugKIZRVpAYk       172.16.134.129  61450   172.16.134.128  61450   cyclicDataRes   -       222     1655284149.499713
1655284124.859924       Ckkc3929guO41BnpSa      172.16.134.128  61450   172.16.134.255  61450   cyclicDataReq   cyclic  222     1655284149.392238
#close  2023-05-27-00-52-06

Related Software

This plug-in is used by OsecT.