tl;dr By manually changing the Linktype using a hex editor in the Interface Description Block (IDB) of the PCAPng file will convince the packet analysis software that only 1 type of interfaces were available at the time of capture.WARNING: Throughout this post I reference “PCAP” and “PCAPng” int...

---

Published on April 14, 2021 | 9 min read

pcap hex zeek suricata brim

tl;dr This blog post was for documentation purposes. Nothing to see here.Problem Statement: I need to have Zeek log every UDP packet instead of only per UDP session/conversationBecause of Zeek’s session tracking it will only log one connection “uid” at the start of a session and for all subseque...

---

Published on April 09, 2021 | 4 min read

zeek scripts pcap