Add VXLAN packet analyzer, disable old analyzer

scripts/base/packet-protocols/__load__.zeek

@@ -23,3 +23,4 @@
 @load base/packet-protocols/iptunnel
 @load base/packet-protocols/ayiya
 @load base/packet-protocols/geneve
+@load base/packet-protocols/vxlan

scripts/base/packet-protocols/vxlan/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/vxlan/main.zeek

@@ -0,0 +1,20 @@
+module PacketAnalyzer::VXLAN;
+
+export {
+	# There's no indicator in the VXLAN packet header format about what the next protocol
+	# in the chain is. All of the documentation just lists Ethernet, so default to that.
+        const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_ETHERNET &redef;
+
+	## The set of UDP ports used for VXLAN traffic.  Traffic using this
+	## UDP destination port will attempt to be decapsulated.  Note that if
+	## if you customize this, you may still want to manually ensure that
+	## :zeek:see:`likely_server_ports` also gets populated accordingly.
+	const vxlan_ports: set[port] = { 4789/udp } &redef;
+}
+
+redef likely_server_ports += { vxlan_ports };
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, vxlan_ports);
+	}