Add VXLAN packet analyzer, disable old analyzer

2025-10-02 14:48:21 +00:00 · 2021-08-26 12:37:28 -07:00 · 2021-08-26 12:37:28 -07:00 · 05574ecce1
commit 05574ecce1
parent cbb0bcd49c
22 changed files with 194 additions and 29 deletions
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@ -92,7 +92,7 @@ export {
 const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { teredo_ports, gtpv1_ports, vxlan_ports };
+redef likely_server_ports += { teredo_ports, gtpv1_ports };
 event zeek_init() &priority=5
 	{
@ -100,7 +100,6 @@ event zeek_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
 	}
 function register_all(ecv: EncapsulatingConnVector)
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -5060,11 +5060,6 @@ export {
 	## may choose whether to perform the validation.
 	const validate_vxlan_checksums = T &redef;
 	## The set of UDP ports used for VXLAN traffic.  Traffic using this
 	## UDP destination port will attempt to be decapsulated.  Note that if
 	## if you customize this, you may still want to manually ensure that
 	## :zeek:see:`likely_server_ports` also gets populated accordingly.
 	const vxlan_ports: set[port] = { 4789/udp } &redef;
 } # end export
 module Reporter;
--- a/scripts/base/packet-protocols/load.zeek
+++ b/scripts/base/packet-protocols/load.zeek
@ -23,3 +23,4 @@
@load base/packet-protocols/iptunnel
@load base/packet-protocols/ayiya
@load base/packet-protocols/geneve
@load base/packet-protocols/vxlan
--- a/scripts/base/packet-protocols/vxlan/load.zeek
+++ b/scripts/base/packet-protocols/vxlan/load.zeek
@ -0,0 +1 @@
@load ./main
--- a/scripts/base/packet-protocols/vxlan/main.zeek
+++ b/scripts/base/packet-protocols/vxlan/main.zeek
@ -0,0 +1,20 @@
 module PacketAnalyzer::VXLAN;
 export {
 	# There's no indicator in the VXLAN packet header format about what the next protocol
 	# in the chain is. All of the documentation just lists Ethernet, so default to that.
        const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_ETHERNET &redef;
 	## The set of UDP ports used for VXLAN traffic.  Traffic using this
 	## UDP destination port will attempt to be decapsulated.  Note that if
 	## if you customize this, you may still want to manually ensure that
 	## :zeek:see:`likely_server_ports` also gets populated accordingly.
 	const vxlan_ports: set[port] = { 4789/udp } &redef;
 }
 redef likely_server_ports += { vxlan_ports };
 event zeek_init() &priority=20
 	{
 	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, vxlan_ports);
 	}
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@ -74,10 +74,10 @@ Manager::~Manager()
 void Manager::InitPostScript()
 	{
-	const auto& id = detail::global_scope()->Find("Tunnel::vxlan_ports");
+	const auto& id = detail::global_scope()->Find("PacketAnalyzer::VXLAN::vxlan_ports");
 	if ( ! (id && id->GetVal()) )
-		reporter->FatalError("Tunnel::vxlan_ports not defined");
+		reporter->FatalError("PacketAnalyzer::VXLAN::vxlan_ports not defined");
 	auto table_val = id->GetVal()->AsTableVal();
 	auto port_list = table_val->ToPureListVal();
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@ -42,6 +42,6 @@ add_subdirectory(ssl)
 add_subdirectory(syslog)
 add_subdirectory(tcp)
 add_subdirectory(teredo)
-add_subdirectory(vxlan)
+#add_subdirectory(vxlan)
 add_subdirectory(xmpp)
 add_subdirectory(zip)
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@ -24,3 +24,4 @@ add_subdirectory(gre)
 add_subdirectory(iptunnel)
 add_subdirectory(ayiya)
 add_subdirectory(geneve)
 add_subdirectory(vxlan)
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@ -41,10 +41,10 @@ void UDPAnalyzer::Initialize()
 	{
 	IPBasedAnalyzer::Initialize();
-	const auto& id = detail::global_scope()->Find("Tunnel::vxlan_ports");
+	const auto& id = detail::global_scope()->Find("PacketAnalyzer::VXLAN::vxlan_ports");
 	if ( ! (id && id->GetVal()) )
-		reporter->FatalError("Tunnel::vxlan_ports not defined");
+		reporter->FatalError("PacketAnalyzer::VXLAN::vxlan_ports not defined");
 	auto table_val = id->GetVal()->AsTableVal();
 	auto port_list = table_val->ToPureListVal();
--- a/src/packet_analysis/protocol/vxlan/CMakeLists.txt
+++ b/src/packet_analysis/protocol/vxlan/CMakeLists.txt
@ -0,0 +1,6 @@
 include(ZeekPlugin)
 zeek_plugin_begin(Zeek VXLAN)
 zeek_plugin_cc(VXLAN.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
--- a/src/packet_analysis/protocol/vxlan/Plugin.cc
+++ b/src/packet_analysis/protocol/vxlan/Plugin.cc
@ -0,0 +1,27 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "zeek/plugin/Plugin.h"
 #include "zeek/packet_analysis/Component.h"
 #include "zeek/packet_analysis/protocol/vxlan/VXLAN.h"
 namespace zeek::plugin::Zeek_VXLAN
 	{
 class Plugin : public zeek::plugin::Plugin
 	{
 public:
 	zeek::plugin::Configuration Configure()
 		{
 		AddComponent(new zeek::packet_analysis::Component(
 			"VXLAN", zeek::packet_analysis::VXLAN::VXLAN_Analyzer::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::VXLAN";
 		config.description = "VXLAN packet analyzer";
 		return config;
 		}
 	} plugin;
 	}
--- a/src/packet_analysis/protocol/vxlan/VXLAN.cc
+++ b/src/packet_analysis/protocol/vxlan/VXLAN.cc
@ -0,0 +1,65 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "zeek/packet_analysis/protocol/vxlan/VXLAN.h"
 #include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
 #include "zeek/packet_analysis/protocol/vxlan/events.bif.h"
 using namespace zeek::packet_analysis::VXLAN;
 VXLAN_Analyzer::VXLAN_Analyzer() : zeek::packet_analysis::Analyzer("VXLAN") { }
 bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	{
 	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
 		{
 		Weird("exceeded_tunnel_max_depth", packet);
 		return false;
 		}
 	constexpr uint16_t hdr_size = 8;
 	if ( hdr_size > len )
 		{
 		AnalyzerViolation("VXLAN header truncation", packet->session, (const char*)data, len);
 		return false;
 		}
 	if ( (data[0] & 0x08) == 0 )
 		{
 		AnalyzerViolation("VXLAN 'I' flag not set", packet->session, (const char*)data, len);
 		return false;
 		}
 	int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
 	len -= hdr_size;
 	data += hdr_size;
 	int encap_index = 0;
 	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
 		packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::VXLAN,
 		GetAnalyzerTag());
 	bool fwd_ret_val = true;
 	if ( len > hdr_size )
 		fwd_ret_val = ForwardPacket(len, data, inner_packet.get());
 	if ( fwd_ret_val )
 		{
 		AnalyzerConfirmation(packet->session);
 		if ( vxlan_packet && packet->session )
 			{
 			EncapsulatingConn* ec = inner_packet->encap->At(encap_index);
 			if ( ec && ec->ip_hdr )
 				inner_packet->session->EnqueueEvent(vxlan_packet, nullptr,
 				                                    packet->session->GetVal(),
 				                                    ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni));
 			}
 		}
 	else
 		AnalyzerViolation("VXLAN invalid inner packet", packet->session);
 	return fwd_ret_val;
 	}
--- a/src/packet_analysis/protocol/vxlan/VXLAN.h
+++ b/src/packet_analysis/protocol/vxlan/VXLAN.h
@ -0,0 +1,25 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
 #include "zeek/packet_analysis/Analyzer.h"
 #include "zeek/packet_analysis/Component.h"
 namespace zeek::packet_analysis::VXLAN
 	{
 class VXLAN_Analyzer : public zeek::packet_analysis::Analyzer
 	{
 public:
 	VXLAN_Analyzer();
 	~VXLAN_Analyzer() override = default;
 	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
 		return std::make_shared<VXLAN_Analyzer>();
 		}
 	};
 	}
--- a/src/packet_analysis/protocol/vxlan/events.bif
+++ b/src/packet_analysis/protocol/vxlan/events.bif
@ -0,0 +1,12 @@
 ## Generated for any packet encapsulated in a VXLAN tunnel.
 ## See :rfc:`7348` for more information about the VXLAN protocol.
 ##
 ## outer: The VXLAN tunnel connection.
 ##
 ## inner: The VXLAN-encapsulated Ethernet packet header and transport header.
 ##
 ## vni: VXLAN Network Identifier.
 ##
 ## .. note:: Since this event may be raised on a per-packet basis, handling
 ##    it may become particularly expensive for real-time analysis.
 event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%);
--- a/testing/btest/Baseline/core.tunnels.vxlan/conn.log
+++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log
@ -9,7 +9,7 @@
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	10.0.0.1	8	10.0.0.2	0	icmp	-	3.004616	224	224	OTH	-	-	0	-	4	336	4	336	CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc
 XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	192.168.56.12	38071	192.168.56.11	4789	udp	vxlan	3.004278	424	0	S0	-	-	0	D	4	536	0	0	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.56.12	40908	192.168.56.11	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.56.12	40908	192.168.56.11	4789	udp	vxlan	-	-	-	S0	-	-	0	D	1	78	0	0	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.56.11	39924	192.168.56.12	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.56.11	39924	192.168.56.12	4789	udp	vxlan	-	-	-	S0	-	-	0	D	1	78	0	0	-
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.56.11	48134	192.168.56.12	4789	udp	vxlan	3.004434	424	0	S0	-	-	0	D	4	536	0	0	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@ -71,6 +71,8 @@ scripts/base/init-bare.zeek
      scripts/base/packet-protocols/ayiya/main.zeek
    scripts/base/packet-protocols/geneve/__load__.zeek
      scripts/base/packet-protocols/geneve/main.zeek
    scripts/base/packet-protocols/vxlan/__load__.zeek
      scripts/base/packet-protocols/vxlan/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
  scripts/base/frameworks/logging/__load__.zeek
    scripts/base/frameworks/logging/main.zeek
@ -209,12 +211,12 @@ scripts/base/init-frameworks-and-bifs.zeek
    build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
    build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -71,6 +71,8 @@ scripts/base/init-bare.zeek
      scripts/base/packet-protocols/ayiya/main.zeek
    scripts/base/packet-protocols/geneve/__load__.zeek
      scripts/base/packet-protocols/geneve/main.zeek
    scripts/base/packet-protocols/vxlan/__load__.zeek
      scripts/base/packet-protocols/vxlan/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
  scripts/base/frameworks/logging/__load__.zeek
    scripts/base/frameworks/logging/main.zeek
@ -209,12 +211,12 @@ scripts/base/init-frameworks-and-bifs.zeek
    build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
    build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -60,7 +60,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
@ -124,7 +123,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) -> <no result>
@ -154,7 +152,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec)) -> <no result>
@ -583,8 +580,10 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@ -633,6 +632,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@ -676,6 +676,7 @@
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
@ -1038,6 +1039,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/version, <...>/version.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/vlan, <...>/vlan) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/vntag, <...>/vntag) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/vxlan, <...>/vxlan) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/weird, <...>/weird.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/x509, <...>/x509) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/xmpp, <...>/xmpp) -> -1
@ -1408,6 +1410,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/version, <...>/version.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vlan, <...>/vlan) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vntag, <...>/vntag) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vxlan, <...>/vxlan) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/weird, <...>/weird.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/x509, <...>/x509) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/xmpp, <...>/xmpp) -> (-1, <no content>)
@ -1494,7 +1497,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
@ -1558,7 +1560,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp}))
@ -1588,7 +1589,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec))
@ -2017,8 +2017,10 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
@ -2067,6 +2069,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
@ -2110,6 +2113,7 @@
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (4789/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (5072/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (6081/udp))
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
@ -2472,6 +2476,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/version, <...>/version.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/vlan, <...>/vlan)
 0.000000   MetaHookPre   LoadFile(0, base<...>/vntag, <...>/vntag)
 0.000000   MetaHookPre   LoadFile(0, base<...>/vxlan, <...>/vxlan)
 0.000000   MetaHookPre   LoadFile(0, base<...>/weird, <...>/weird.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/x509, <...>/x509)
 0.000000   MetaHookPre   LoadFile(0, base<...>/xmpp, <...>/xmpp)
@ -2842,6 +2847,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/version, <...>/version.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vlan, <...>/vlan)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vntag, <...>/vntag)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vxlan, <...>/vxlan)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/weird, <...>/weird.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/x509, <...>/x509)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/xmpp, <...>/xmpp)
@ -2928,7 +2934,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
@ -2992,7 +2997,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, {135/tcp})
@ -3022,7 +3026,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {563<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Broker::__set_metrics_export_endpoint_name()
 0.000000 | HookCallFunction Broker::__set_metrics_export_interval(1.0 sec)
@ -3450,8 +3453,10 @@
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
@ -3500,6 +3505,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
@ -3543,6 +3549,7 @@
 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
 0.000000 | HookCallFunction port_to_count(4789/udp)
 0.000000 | HookCallFunction port_to_count(5072/udp)
 0.000000 | HookCallFunction port_to_count(6081/udp)
 0.000000 | HookCallFunction reading_live_traffic()
@ -3917,6 +3924,7 @@
 0.000000 | HookLoadFile  base<...>/version <...>/version.zeek
 0.000000 | HookLoadFile  base<...>/vlan <...>/vlan
 0.000000 | HookLoadFile  base<...>/vntag <...>/vntag
 0.000000 | HookLoadFile  base<...>/vxlan <...>/vxlan
 0.000000 | HookLoadFile  base<...>/weird <...>/weird.zeek
 0.000000 | HookLoadFile  base<...>/x509 <...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp <...>/xmpp
@ -4287,6 +4295,7 @@
 0.000000 | HookLoadFileExtended base<...>/version <...>/version.zeek
 0.000000 | HookLoadFileExtended base<...>/vlan <...>/vlan
 0.000000 | HookLoadFileExtended base<...>/vntag <...>/vntag
 0.000000 | HookLoadFileExtended base<...>/vxlan <...>/vxlan
 0.000000 | HookLoadFileExtended base<...>/weird <...>/weird.zeek
 0.000000 | HookLoadFileExtended base<...>/x509 <...>/x509
 0.000000 | HookLoadFileExtended base<...>/xmpp <...>/xmpp
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 2
+|Analyzer::all_registered_ports()|, 3
 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request 141.142.220.235:50003 - USER anonymous
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 2
+|Analyzer::all_registered_ports()|, 3
 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 2
+|Analyzer::all_registered_ports()|, 3
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 2
+|Analyzer::all_registered_ports()|, 3
`@ -1,2 +1,2 @@`
	`### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.`	`### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.`
	`\|Analyzer::all_registered_ports()\|, 2`	`\|Analyzer::all_registered_ports()\|, 3`