Zeek_WebSocket.events.bif.zeek

Summary

`websocket_close`: `event`	Generated for WebSocket Close frames.
`websocket_established`: `event`	Generated when a WebSocket handshake completed.
`websocket_frame`: `event`	Generated for every WebSocket frame.
`websocket_frame_data`: `event`	Generated for every chunk of WebSocket frame payload data.
`websocket_message`: `event`	Generated for every completed WebSocket message.

websocket_close

Type: event (c: connection, is_orig: bool, status: count, reason: string)

Generated for WebSocket Close frames.

Parameters

c – The WebSocket connection.
is_orig – True if the frame is from the originator, else false.
status – If the CloseFrame had no payload, this is 0, otherwise the value of the first two bytes in the frame’s payload.
reason – Remaining payload after status. This is capped at 2 bytes less than WebSocket::payload_chunk_size.

websocket_established

Generated when a WebSocket handshake completed.

Parameters

websocket_frame

Type: event (c: connection, is_orig: bool, fin: bool, rsv: count, opcode: count, payload_len: count)

Generated for every WebSocket frame.

Parameters

websocket_frame_data

Generated for every chunk of WebSocket frame payload data.

Do not use it to extract data from a WebSocket connection unless for testing or experimentation. Consider implementing a proper analyzer instead.

Parameters

c – The WebSocket connection.
is_orig – True if the frame is from the originator, else false.
data – One data chunk of frame payload. The length of is at most WebSocket::payload_chunk_size bytes. A frame with a longer payload will result in multiple events events.

websocket_message

Generated for every completed WebSocket message.

Parameters