Zeek Spicy OSPF Packet Analyzer Update – v0.1.4

An update in the packet analyzer now makes it Zeek v5.2 ready. You can view more here:


You can install the latest version with the following command:

zkg install zeek-spicy-ospf

5 responses to “Zeek Spicy OSPF Packet Analyzer Update – v0.1.4”

  1. Subhajit Avatar

    Hey Keith,
    As you have written a packet analyser, can you please give me few pointers to make my goose protocol run?
    I didn’t able to find how packet analyser is working, like in protocol analyser we give transport protocol and port, using which zeek will detect the packet for that protocol and pass it to corresponding spicy parser. What happens for packet analyser?
    Below are my scripts, I am able to register the plugin and can see in zeek -NN without any error but It is not printing anything for the pcap, just getting packet_filter.log with an entry of default bpf filter IP or not IP. Can you please help me to understand where I am doing wrong here.
    Thanks a lot!
    spicy parser script
    `biswa:~/zeek-spicy-goose/analyzer$ cat goose.spicy

    module zeek_spicy_goose;
    public type GOOSEPacket = unit {
    appid: uint8;
    pkt_len: uint16;
    payload: bytes &eod;

    spicy event
    biswa:~/zeek-spicy-goose/analyzer$ cat goose.evt
    packet analyzer spicy::GOOSE:
    parse with zeek_spicy_goose::GOOSEPacket;

    import zeek_spicy_goose;

    on zeek_spicy_goose::GOOSEPacket -> event GOOSE::message($packet, self.appid, self.pkt_len);

    zeek spicy script
    biswa:~/zeek-spicy-goose/analyzer$ cat zeek_goose.spicy

    module Zeek_zeek_spicy_goose;

    import zeek_spicy_goose;
    import zeek;

    on zeek_spicy_goose::GOOSEPacket::%done {

    on zeek_spicy_goose::GOOSEPacket::%error {
    zeek::reject_protocol(“error while parsing GOOSE record”);

    Zeek script
    biswa@dmz-ashish-new:~/zeek-spicy-goose/analyzer$ cat ../scripts/main.zeek
    module GOOSE;

    global goose_topic = “/topic/goose”;

    global begin_time: time;
    global total_time: interval;

    export {
    ## Log stream identifier.
    redef enum Log::ID += { GOOSE_LOG };

    ## Record type containing the column fields of the goose log.
    type Info: record {
    ## Timestamp for when the activity happened.
    ts: time &log &default=network_time();
    appid: count &log &optional;
    pkt_len: count &log &optional;

    global GOOSE::message: event(pkt: raw_pkt_hdr, appid: count, pkt_len: count);

    global analyzer_confirmation: event(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo);

    global GOOSE::log_goose: event(rec: GOOSE::Info);

    global log_GOOSE: event(rec: Info);

    redef record raw_pkt_hdr += {
    GOOSE: Info &optional;

    event zeek_init() &priority=5
    Broker::peer(addr_to_uri(, 50000/tcp);

    if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name(“Ethernet”, 0x88ba, “spicy_GOOSE”) )
    if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name(“Ethernet”, 0x88ba, “spicy::GOOSE”) )
    print “cannot register GOOSE Spicy analyzer”;

    Log::create_stream(GOOSE::GOOSE_LOG, [$columns=Info, $ev=log_goose, $path=”goose”]);

    #print this event per packet
    event GOOSE::message(packet: raw_pkt_hdr, appid: count, pkt_len: count)
    local info: Info = [$ts=network_time(), $appid=appid, $pkt_len=pkt_len];
    print “Processing pcakets”, packet;
    Log::write(GOOSE::GOOSE_LOG, info);

    event Broker::peer_added(ep: Broker::EndpointInfo, msg: string)
    print “PEER ADDED”, ep;
    #send this event over the broker
    event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
    if ( atype == Analyzer::ANALYZER_SPICY_GOOSE)
    Broker::publish(goose_topic, analyzer_confirmation, atype, info);
    PCAP file: https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/IEC61850/GOOSE/GOOSE.pcap

    1. drkeithjones Avatar

      A blog isn’t the easiest place to view code. Could you check in all your code you have so far into github and share the link with me? That will make things easier because I can checkout your code using git.

      1. Subhajit Avatar

        Hi Keith, have you got the link? I am not able to see it in the comment, posting again

        Please check

        1. drkeithjones Avatar

          Thanks. I do not see the testing directory set up from zkg create. Could you get that set up with your pcap you want working please? Thanks.

          1. drkeithjones Avatar

            The command to create via zkg is:

            zkg create –features spicy-packet-analyzer –packagedir zeek-spicy-goose

Leave a Reply

Your email address will not be published. Required fields are marked *