Starting Points

Note: Our current website is at www.zeek.org. This website is unmaintained and contains outdated information.

Starting Points

This document collects some starting points for looking at the Zeek source code.

Packets are passed through the logic written in Sessions.cc. This is a good starting point when starting to work with Zeek internals. Another file to look at to get a grasp of the functionality is the DPM.cc/.h (central management unit for dynamic analyzer selection). The logic for selecting correct analyzer for the tree is contained within DPM.cc. The analyzers that can be initialized are defined in AnalyzerTags.h, Analyzers.cc and Analyzers.h in addition to their own relevant source files.
The initialized analyzers are executed with the analyzers raising events as dictated by the scripts used. The packets enter the analyzers through calls of <analyzer>::DeliverPacket() or, in reassembled form, via <analyzer>::DeliverStream(). The execution continues as dictated by the analyzers internal logic.

It is noteworthy that if there is no handling for a particular event in the scripts used, this event will not be raised! Also, setting EventHandlerPtr to some event value, which is not handled by the script, will lead the f to still enumerate to null. For example:
```
EventHandlerPtr f = icmp_sent;
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(ICMP6Flag));

if ( f )
    {
    printf("if icmp_sent event is actually handled by the scripts, this gets executed, as f != 0\n");
    ConnectionEvent(f, vl);
    }
else
    printf("if there is no handling for icmp_sent event, this gets executed, as f will evaluate to nill\n");
```
For the list and definition of events, please see event.bif. Also, see bro.init for type definitions.

Overall, the scripting layer is a very integral part of the system, a lot of types are actually defined on the script level and must be taken into account when making changes to the C++ sources. If the handling for the event exists on the scripting layer the event is raised and action is taken on the data as defined in the script. Zeek has its own scripting language, with the events being executed as they are raised by the Zeek event engine. Events can be used to simply log some of the traffic or for much more complicated tasks only limited by the Zeek scripting language.