diff --git a/CHANGES b/CHANGES index 3fc18b569a..7eafccce47 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +7.1.0-dev.202 | 2024-08-16 09:06:41 -0700 + + * Remove unused wrapper packet analyzer (Jan Grashoefer, Corelight) + + This is a leftover from the migration to the packet analysis framework. + The analyzer wrapped the original packet analysis code for comparison. + 7.1.0-dev.200 | 2024-08-16 16:50:47 +0200 * Add DNS TKEY event (Evan Typanski, Corelight) diff --git a/VERSION b/VERSION index 6a591a4af8..86b6d226c1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-dev.200 +7.1.0-dev.202 diff --git a/src/packet_analysis/protocol/wrapper/CMakeLists.txt b/src/packet_analysis/protocol/wrapper/CMakeLists.txt deleted file mode 100644 index aaac07bbb3..0000000000 --- a/src/packet_analysis/protocol/wrapper/CMakeLists.txt +++ /dev/null @@ -1 +0,0 @@ -zeek_add_plugin(Zeek Wrapper SOURCES Wrapper.cc Plugin.cc) diff --git a/src/packet_analysis/protocol/wrapper/Plugin.cc b/src/packet_analysis/protocol/wrapper/Plugin.cc deleted file mode 100644 index 248bf419c8..0000000000 --- a/src/packet_analysis/protocol/wrapper/Plugin.cc +++ /dev/null @@ -1,25 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "zeek/plugin/Plugin.h" - -#include "zeek/packet_analysis/Component.h" -#include "zeek/packet_analysis/protocol/wrapper/Wrapper.h" - -namespace zeek::plugin::Zeek_Wrapper { - -class Plugin final : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() override { - AddComponent( - new zeek::packet_analysis::Component("Wrapper", - zeek::packet_analysis::Wrapper::WrapperAnalyzer::Instantiate)); - - zeek::plugin::Configuration config; - config.name = "Zeek::Wrapper"; - config.description = "A wrapper for the original zeek code."; - return config; - } - -} plugin; - -} // namespace zeek::plugin::Zeek_Wrapper diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc deleted file mode 100644 index 53ef65a9d1..0000000000 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ /dev/null @@ -1,135 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "zeek/packet_analysis/protocol/wrapper/Wrapper.h" - -using namespace zeek::packet_analysis::Wrapper; - -WrapperAnalyzer::WrapperAnalyzer() : zeek::packet_analysis::Analyzer("Wrapper") {} - -bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - // Unfortunately some packets on the link might have MPLS labels - // while others don't. That means we need to ask the link-layer if - // labels are in place. - bool have_mpls = false; - - auto end_of_data = packet->GetEndOfData(); - - // Skip past Cisco FabricPath to encapsulated ethernet frame. - if ( data[12] == 0x89 && data[13] == 0x03 ) { - auto constexpr cfplen = 16; - - if ( data + cfplen + 14 >= end_of_data ) { - Weird("truncated_link_header_cfp", packet); - return false; - } - - data += cfplen; - } - - // Extract protocol identifier - uint32_t protocol = (data[12] << 8u) + data[13]; - - packet->eth_type = protocol; - packet->l2_dst = data; - packet->l2_src = data + 6; - - data += 14; - - bool saw_vlan = false; - - while ( protocol == 0x8100 || protocol == 0x9100 || protocol == 0x8864 ) { - switch ( protocol ) { - // VLAN carried over the ethernet frame. - // 802.1q / 802.1ad - case 0x8100: - case 0x9100: { - if ( data + 4 >= end_of_data ) { - Weird("truncated_link_header", packet); - return false; - } - - auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan; - vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff; - protocol = ((data[2] << 8u) + data[3]); - data += 4; // Skip the vlan header - saw_vlan = true; - packet->eth_type = protocol; - } break; - - // PPPoE carried over the ethernet frame. - case 0x8864: { - if ( data + 8 >= end_of_data ) { - Weird("truncated_link_header", packet); - return false; - } - - protocol = (data[6] << 8u) + data[7]; - data += 8; // Skip the PPPoE session and PPP header - - if ( protocol == 0x0021 ) - packet->l3_proto = L3_IPV4; - else if ( protocol == 0x0057 ) - packet->l3_proto = L3_IPV6; - else { - // Neither IPv4 nor IPv6. - Weird("non_ip_packet_in_pppoe_encapsulation", packet); - return false; - } - } break; - } - } - - // Check for MPLS in VLAN. - if ( protocol == 0x8847 ) - have_mpls = true; - - // Normal path to determine Layer 3 protocol. - if ( ! have_mpls && packet->l3_proto == L3_UNKNOWN ) { - if ( protocol == 0x800 ) - packet->l3_proto = L3_IPV4; - else if ( protocol == 0x86dd ) - packet->l3_proto = L3_IPV6; - else if ( protocol == 0x0806 || protocol == 0x8035 ) - packet->l3_proto = L3_ARP; - else { - // Neither IPv4 nor IPv6. - Weird("non_ip_packet_in_ethernet", packet); - return false; - } - } - - if ( have_mpls ) { - // Skip the MPLS label stack. - bool end_of_stack = false; - - while ( ! end_of_stack ) { - if ( data + 4 >= end_of_data ) { - Weird("truncated_link_header", packet); - return false; - } - - end_of_stack = *(data + 2u) & 0x01; - data += 4; - } - - // We assume that what remains is IP - if ( data + sizeof(struct ip) >= end_of_data ) { - Weird("no_ip_in_mpls_payload", packet); - return false; - } - - const struct ip* ip = (const struct ip*)data; - - if ( ip->ip_v == 4 ) - packet->l3_proto = L3_IPV4; - else if ( ip->ip_v == 6 ) - packet->l3_proto = L3_IPV6; - else { - // Neither IPv4 nor IPv6. - Weird("no_ip_in_mpls_payload", packet); - return false; - } - } - - return AnalyzeInnerPacket(packet, data, protocol); -} diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h deleted file mode 100644 index 299d6b5f78..0000000000 --- a/src/packet_analysis/protocol/wrapper/Wrapper.h +++ /dev/null @@ -1,20 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include "zeek/packet_analysis/Analyzer.h" -#include "zeek/packet_analysis/Component.h" - -namespace zeek::packet_analysis::Wrapper { - -class WrapperAnalyzer : public Analyzer { -public: - WrapperAnalyzer(); - ~WrapperAnalyzer() override = default; - - bool Analyze(Packet* packet, const uint8_t*& data) override; - - static zeek::packet_analysis::AnalyzerPtr Instantiate() { return std::make_shared(); } -}; - -} // namespace zeek::packet_analysis::Wrapper