diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index dd21ff686a..db2f04145a 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -1225,10 +1225,6 @@ const rpc_timeout = 24 sec &redef; ## means "forever", which resists evasion, but can lead to state accrual. const frag_timeout = 0.0 sec &redef; -## If positive, indicates the encapsulation header size that should -## be skipped. This applies to all packets. -const encap_hdr_size = 0 &redef; - ## Whether to use the ``ConnSize`` analyzer to count the number of packets and ## IP-level bytes transferred by each endpoint. If true, these values are ## returned in the connection's :zeek:see:`endpoint` record value. diff --git a/src/NetVar.cc b/src/NetVar.cc index edd778fa92..dfc52e0ea4 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -113,8 +113,6 @@ int partial_connection_ok; int tcp_SYN_ack_ok; int tcp_match_undelivered; -int encap_hdr_size; - double frag_timeout; double tcp_SYN_timeout; @@ -261,8 +259,6 @@ void init_net_var() tcp_SYN_ack_ok = id::find_val("tcp_SYN_ack_ok")->AsBool(); tcp_match_undelivered = id::find_val("tcp_match_undelivered")->AsBool(); - encap_hdr_size = id::find_val("encap_hdr_size")->AsCount(); - frag_timeout = id::find_val("frag_timeout")->AsInterval(); tcp_SYN_timeout = id::find_val("tcp_SYN_timeout")->AsInterval(); @@ -365,7 +361,6 @@ int& ignore_checksums = zeek::detail::ignore_checksums; int& partial_connection_ok = zeek::detail::partial_connection_ok; int& tcp_SYN_ack_ok = zeek::detail::tcp_SYN_ack_ok; int& tcp_match_undelivered = zeek::detail::tcp_match_undelivered; -int& encap_hdr_size = zeek::detail::encap_hdr_size; double& frag_timeout = zeek::detail::frag_timeout; double& tcp_SYN_timeout = zeek::detail::tcp_SYN_timeout; double& tcp_session_timer = zeek::detail::tcp_session_timer; diff --git a/src/NetVar.h b/src/NetVar.h index 45199108b0..29a1bb55fc 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -17,8 +17,6 @@ extern int partial_connection_ok; extern int tcp_SYN_ack_ok; extern int tcp_match_undelivered; -extern int encap_hdr_size; - extern double frag_timeout; extern double tcp_SYN_timeout; @@ -117,7 +115,6 @@ extern int& ignore_checksums [[deprecated("Remove in v4.1. Use zeek::detail::ign extern int& partial_connection_ok [[deprecated("Remove in v4.1. Use zeek::detail::partial_connection_ok.")]]; extern int& tcp_SYN_ack_ok [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_ack_ok.")]]; extern int& tcp_match_undelivered [[deprecated("Remove in v4.1. Use zeek::detail::tcp_match_undelivered.")]]; -extern int& encap_hdr_size [[deprecated("Remove in v4.1. Use zeek::detail::encap_hdr_size.")]]; extern double& frag_timeout [[deprecated("Remove in v4.1. Use zeek::detail::frag_timeout.")]]; extern double& tcp_SYN_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_timeout.")]]; extern double& tcp_session_timer [[deprecated("Remove in v4.1. Use zeek::detail::tcp_session_timer.")]]; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 6d277a9a0b..1654fb7ddb 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -2,7 +2,6 @@ #include "Manager.h" -#include "NetVar.h" #include "Analyzer.h" #include "Dispatcher.h" @@ -132,8 +131,6 @@ void Manager::ProcessPacket(Packet* packet) } auto result = analyzer->Analyze(packet, data); - if (result == AnalyzerResult::Terminate) - CustomEncapsulationSkip(packet, data); // Calculate header size after processing packet layers. packet->hdr_size = static_cast(data - packet->data); @@ -177,36 +174,3 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const std::string& name) Tag tag = GetComponentTag(name); return tag ? InstantiateAnalyzer(tag) : nullptr; } - -void Manager::CustomEncapsulationSkip(Packet* packet, const uint8_t* data) - { - if ( zeek::detail::encap_hdr_size > 0 ) - { - // Blanket encapsulation. We assume that what remains is IP. - if ( data + zeek::detail::encap_hdr_size + sizeof(struct ip) >= packet->GetEndOfData() ) - { - packet->Weird("no_ip_left_after_encap"); - return; - } - - data += zeek::detail::encap_hdr_size; - - auto ip = (const struct ip*)data; - - switch ( ip->ip_v ) - { - case 4: - packet->l3_proto = L3_IPV4; - break; - case 6: - packet->l3_proto = L3_IPV6; - break; - default: - { - // Neither IPv4 nor IPv6. - packet->Weird("no_ip_in_encap"); - return; - } - } - } - } diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index cbded374e1..f13feaa590 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -89,16 +89,6 @@ private: */ AnalyzerPtr InstantiateAnalyzer(const std::string& name); - /** - * Skips a fixed amount of packet data that is defined by encap_hdr_size. - * It is assumed that an IP header follows. - * - * @param packet The packet to adapt. - * - * @param data Pointer to remaining payload. - */ - void CustomEncapsulationSkip(Packet* packet, const uint8_t* data); - std::map analyzers; Dispatcher root_dispatcher; AnalyzerPtr default_analyzer = nullptr;