{"id":419,"date":"2023-03-21T11:25:39","date_gmt":"2023-03-21T15:25:39","guid":{"rendered":"https:\/\/drkeithjones.com\/?p=419"},"modified":"2023-03-21T11:26:26","modified_gmt":"2023-03-21T15:26:26","slug":"zeeks-suspend_processing-quirk-with-pcaps","status":"publish","type":"post","link":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/","title":{"rendered":"Zeek&#8217;s suspend_processing Quirk With PCAPs"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In the comments of an earlier blog:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-drkeithjones-com wp-block-embed-drkeithjones-com\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"z4tPuLLJ6D\"><a href=\"https:\/\/drkeithjones.com\/index.php\/2023\/03\/11\/how-to-connect-zeek-to-python\/\">How To Connect Zeek To Python<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;How To Connect Zeek To Python&#8221; &#8212; DrKeithJones.com\" src=\"https:\/\/drkeithjones.com\/index.php\/2023\/03\/11\/how-to-connect-zeek-to-python\/embed\/#?secret=KntrCXIHF8#?secret=z4tPuLLJ6D\" data-secret=\"z4tPuLLJ6D\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">&#8230; we found an interesting situation.  Even when you call &#8220;suspend_processing&#8221; in zeek_init, like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>event zeek_init() &amp;priority=10\n{\n\tsuspend_processing();\n}\n\nevent new_connection(c: connection)\n{\n\tprint(\"NEW\"); \n}\nevent connection_state_remove(c: connection)\n{\n\tprint(\"REMOVE\"); \n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">&#8230; Zeek will still process the first packet.  The &#8220;new_connection&#8221; and &#8220;connection_state_remove&#8221; events will still fire for that first packet\/connection.  This is what the output looks like:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ zeek -Cr ..\/dnp3_example.pcap .\/test.zeek\nprocessing suspended\nNEW\nPEERADDED\nREMOVE<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">&#8230; for the PCAP located here:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/cisagov\/icsnpp-dnp3\/blob\/main\/tests\/traces\/dnp3_example.pcap\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/github.com\/cisagov\/icsnpp-dnp3\/blob\/main\/tests\/traces\/dnp3_example.pcap<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the comments of an earlier blog: &#8230; we found an interesting situation. Even when you call &#8220;suspend_processing&#8221; in zeek_init, like this: &#8230; Zeek will still process the first packet. The &#8220;new_connection&#8221; and &#8220;connection_state_remove&#8221; events will still fire for that first packet\/connection. This is what the output looks like: &#8230; for the PCAP located here: [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[91,24,61,4],"tags":[29,27],"class_list":["post-419","post","type-post","status-publish","format-standard","hentry","category-open-source","category-pcaps","category-tools","category-zeek","tag-pcaps","tag-zeek"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.8 - aioseo.com -->\n\t<meta name=\"description\" content=\"In the comments of an earlier blog: ... we found an interesting situation. Even when you call &quot;suspend_processing&quot; in zeek_init, like this: event zeek_init() &amp;priority=10 { suspend_processing(); } event new_connection(c: connection) { print(&quot;NEW&quot;); } event connection_state_remove(c: connection) { print(&quot;REMOVE&quot;); } ... Zeek will still process the first packet. The &quot;new_connection&quot; and &quot;connection_state_remove&quot; events will still\" \/>\n\t<meta name=\"robots\" content=\"max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n\t<meta name=\"author\" content=\"drkeithjones\"\/>\n\t<link rel=\"canonical\" href=\"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.8\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"DrKeithJones.com - A cybersecurity researcher&#039;s journey.\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"Zeek\u2019s suspend_processing Quirk With PCAPs - DrKeithJones.com\" \/>\n\t\t<meta property=\"og:description\" content=\"In the comments of an earlier blog: ... we found an interesting situation. Even when you call &quot;suspend_processing&quot; in zeek_init, like this: event zeek_init() &amp;priority=10 { suspend_processing(); } event new_connection(c: connection) { print(&quot;NEW&quot;); } event connection_state_remove(c: connection) { print(&quot;REMOVE&quot;); } ... Zeek will still process the first packet. The &quot;new_connection&quot; and &quot;connection_state_remove&quot; events will still\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/\" \/>\n\t\t<meta property=\"og:image\" content=\"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg\" \/>\n\t\t<meta property=\"og:image:secure_url\" content=\"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2023-03-21T15:25:39+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2023-03-21T15:26:26+00:00\" \/>\n\t\t<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/keithjjones\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:site\" content=\"@keithjjones\" \/>\n\t\t<meta name=\"twitter:title\" content=\"Zeek\u2019s suspend_processing Quirk With PCAPs - DrKeithJones.com\" \/>\n\t\t<meta name=\"twitter:description\" content=\"In the comments of an earlier blog: ... we found an interesting situation. Even when you call &quot;suspend_processing&quot; in zeek_init, like this: event zeek_init() &amp;priority=10 { suspend_processing(); } event new_connection(c: connection) { print(&quot;NEW&quot;); } event connection_state_remove(c: connection) { print(&quot;REMOVE&quot;); } ... Zeek will still process the first packet. The &quot;new_connection&quot; and &quot;connection_state_remove&quot; events will still\" \/>\n\t\t<meta name=\"twitter:creator\" content=\"@keithjjones\" \/>\n\t\t<meta name=\"twitter:image\" content=\"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"BlogPosting\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#blogposting\",\"name\":\"Zeek\\u2019s suspend_processing Quirk With PCAPs - DrKeithJones.com\",\"headline\":\"Zeek&#8217;s suspend_processing Quirk With PCAPs\",\"author\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#person\"},\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#articleImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g\",\"width\":96,\"height\":96,\"caption\":\"drkeithjones\"},\"datePublished\":\"2023-03-21T11:25:39-04:00\",\"dateModified\":\"2023-03-21T11:26:26-04:00\",\"inLanguage\":\"en-US\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#webpage\"},\"articleSection\":\"Open Source, PCAPs, Tools, Zeek, pcaps, zeek\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/drkeithjones.com\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/category\\\/zeek\\\/#listItem\",\"name\":\"Zeek\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/category\\\/zeek\\\/#listItem\",\"position\":2,\"name\":\"Zeek\",\"item\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/category\\\/zeek\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#listItem\",\"name\":\"Zeek&#8217;s suspend_processing Quirk With PCAPs\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#listItem\",\"position\":3,\"name\":\"Zeek&#8217;s suspend_processing Quirk With PCAPs\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/category\\\/zeek\\\/#listItem\",\"name\":\"Zeek\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#person\",\"name\":\"drkeithjones\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#personImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g\",\"width\":96,\"height\":96,\"caption\":\"drkeithjones\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/#author\",\"url\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/\",\"name\":\"drkeithjones\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g\",\"width\":96,\"height\":96,\"caption\":\"drkeithjones\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#webpage\",\"url\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/\",\"name\":\"Zeek\\u2019s suspend_processing Quirk With PCAPs - DrKeithJones.com\",\"description\":\"In the comments of an earlier blog: ... we found an interesting situation. Even when you call \\\"suspend_processing\\\" in zeek_init, like this: event zeek_init() &priority=10 { suspend_processing(); } event new_connection(c: connection) { print(\\\"NEW\\\"); } event connection_state_remove(c: connection) { print(\\\"REMOVE\\\"); } ... Zeek will still process the first packet. The \\\"new_connection\\\" and \\\"connection_state_remove\\\" events will still\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2023\\\/03\\\/21\\\/zeeks-suspend_processing-quirk-with-pcaps\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/#author\"},\"datePublished\":\"2023-03-21T11:25:39-04:00\",\"dateModified\":\"2023-03-21T11:26:26-04:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#website\",\"url\":\"https:\\\/\\\/drkeithjones.com\\\/\",\"name\":\"DrKeithJones.com\",\"description\":\"A cybersecurity researcher's journey.\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#person\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"Zeek\u2019s suspend_processing Quirk With PCAPs - DrKeithJones.com","description":"In the comments of an earlier blog: ... we found an interesting situation. Even when you call \"suspend_processing\" in zeek_init, like this: event zeek_init() &priority=10 { suspend_processing(); } event new_connection(c: connection) { print(\"NEW\"); } event connection_state_remove(c: connection) { print(\"REMOVE\"); } ... Zeek will still process the first packet. The \"new_connection\" and \"connection_state_remove\" events will still","canonical_url":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/","robots":"max-snippet:-1, max-image-preview:large, max-video-preview:-1","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"BlogPosting","@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#blogposting","name":"Zeek\u2019s suspend_processing Quirk With PCAPs - DrKeithJones.com","headline":"Zeek&#8217;s suspend_processing Quirk With PCAPs","author":{"@id":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/#author"},"publisher":{"@id":"https:\/\/drkeithjones.com\/#person"},"image":{"@type":"ImageObject","@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#articleImage","url":"https:\/\/secure.gravatar.com\/avatar\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g","width":96,"height":96,"caption":"drkeithjones"},"datePublished":"2023-03-21T11:25:39-04:00","dateModified":"2023-03-21T11:26:26-04:00","inLanguage":"en-US","mainEntityOfPage":{"@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#webpage"},"isPartOf":{"@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#webpage"},"articleSection":"Open Source, PCAPs, Tools, Zeek, pcaps, zeek"},{"@type":"BreadcrumbList","@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/drkeithjones.com#listItem","position":1,"name":"Home","item":"https:\/\/drkeithjones.com","nextItem":{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/#listItem","name":"Zeek"}},{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/#listItem","position":2,"name":"Zeek","item":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/","nextItem":{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#listItem","name":"Zeek&#8217;s suspend_processing Quirk With PCAPs"},"previousItem":{"@type":"ListItem","@id":"https:\/\/drkeithjones.com#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#listItem","position":3,"name":"Zeek&#8217;s suspend_processing Quirk With PCAPs","previousItem":{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/#listItem","name":"Zeek"}}]},{"@type":"Person","@id":"https:\/\/drkeithjones.com\/#person","name":"drkeithjones","image":{"@type":"ImageObject","@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#personImage","url":"https:\/\/secure.gravatar.com\/avatar\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g","width":96,"height":96,"caption":"drkeithjones"}},{"@type":"Person","@id":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/#author","url":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/","name":"drkeithjones","image":{"@type":"ImageObject","@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g","width":96,"height":96,"caption":"drkeithjones"}},{"@type":"WebPage","@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#webpage","url":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/","name":"Zeek\u2019s suspend_processing Quirk With PCAPs - DrKeithJones.com","description":"In the comments of an earlier blog: ... we found an interesting situation. Even when you call \"suspend_processing\" in zeek_init, like this: event zeek_init() &priority=10 { suspend_processing(); } event new_connection(c: connection) { print(\"NEW\"); } event connection_state_remove(c: connection) { print(\"REMOVE\"); } ... Zeek will still process the first packet. The \"new_connection\" and \"connection_state_remove\" events will still","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/drkeithjones.com\/#website"},"breadcrumb":{"@id":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/#breadcrumblist"},"author":{"@id":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/#author"},"creator":{"@id":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/#author"},"datePublished":"2023-03-21T11:25:39-04:00","dateModified":"2023-03-21T11:26:26-04:00"},{"@type":"WebSite","@id":"https:\/\/drkeithjones.com\/#website","url":"https:\/\/drkeithjones.com\/","name":"DrKeithJones.com","description":"A cybersecurity researcher's journey.","inLanguage":"en-US","publisher":{"@id":"https:\/\/drkeithjones.com\/#person"}}]},"og:locale":"en_US","og:site_name":"DrKeithJones.com - A cybersecurity researcher's journey.","og:type":"article","og:title":"Zeek\u2019s suspend_processing Quirk With PCAPs - DrKeithJones.com","og:description":"In the comments of an earlier blog: ... we found an interesting situation. Even when you call &quot;suspend_processing&quot; in zeek_init, like this: event zeek_init() &amp;priority=10 { suspend_processing(); } event new_connection(c: connection) { print(&quot;NEW&quot;); } event connection_state_remove(c: connection) { print(&quot;REMOVE&quot;); } ... Zeek will still process the first packet. The &quot;new_connection&quot; and &quot;connection_state_remove&quot; events will still","og:url":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/","og:image":"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg","og:image:secure_url":"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg","article:published_time":"2023-03-21T15:25:39+00:00","article:modified_time":"2023-03-21T15:26:26+00:00","article:publisher":"https:\/\/www.facebook.com\/keithjjones","twitter:card":"summary_large_image","twitter:site":"@keithjjones","twitter:title":"Zeek\u2019s suspend_processing Quirk With PCAPs - DrKeithJones.com","twitter:description":"In the comments of an earlier blog: ... we found an interesting situation. Even when you call &quot;suspend_processing&quot; in zeek_init, like this: event zeek_init() &amp;priority=10 { suspend_processing(); } event new_connection(c: connection) { print(&quot;NEW&quot;); } event connection_state_remove(c: connection) { print(&quot;REMOVE&quot;); } ... Zeek will still process the first packet. The &quot;new_connection&quot; and &quot;connection_state_remove&quot; events will still","twitter:creator":"@keithjjones","twitter:image":"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg"},"aioseo_meta_data":{"post_id":"419","title":null,"description":null,"keywords":[],"keyphrases":{"focus":{"keyphrase":"","score":0,"analysis":{"keyphraseInTitle":{"score":0,"maxScore":9,"error":1}}},"additional":[]},"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":"","og_custom_url":null,"og_article_section":null,"og_article_tags":[],"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"BlogPosting","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":"-1","robots_max_videopreview":"-1","robots_max_imagepreview":"large","priority":null,"frequency":"default","local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2023-03-21 15:25:40","updated":"2025-06-04 00:04:32","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/drkeithjones.com\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/\" title=\"Zeek\">Zeek<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tZeek\u2019s suspend_processing Quirk With PCAPs\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/drkeithjones.com"},{"label":"Zeek","link":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/"},{"label":"Zeek&#8217;s suspend_processing Quirk With PCAPs","link":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/"}],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/comments?post=419"}],"version-history":[{"count":0,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/419\/revisions"}],"wp:attachment":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/media?parent=419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/categories?post=419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/tags?post=419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}