GH-250: Improve/cleanup VXLAN decapsulation support

* Better parsing/error-checking of VXLAN and encapsulated packet headers

* Add/implement the "vxlan_packet" event

* Add "Tunnel::vxlan_ports" option to tune the set of VXLAN ports to
  analyze/decapsulate

* Add "Tunnel::validate_vxlan_checksums" option to allow for tuning of how
  checksums associated with the outer UDP header of a possible VXLAN
  tunnel are handled

Fixes GH-250

doc

@@ -1 +1 @@
-Subproject commit 5e7820debc34f86023e696b7e880313be76275f3
+Subproject commit 73c5b6622b5b05e3fe246fcaa5c0587727d9edd0

scripts/base/frameworks/tunnels/main.bro

@@ -85,7 +85,6 @@ export {
 const ayiya_ports = { 5072/udp };
 const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-const vxlan_ports = { 4789/udp };
 redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports };
 
 event bro_init() &priority=5
@@ -94,8 +93,8 @@ event bro_init() &priority=5
 
 	Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
-	Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
 	}
 
 function register_all(ecv: EncapsulatingConnVector)

scripts/base/init-bare.bro

@@ -4857,6 +4857,18 @@ export {
 	## How often to cleanup internal state for inactive IP tunnels
 	## (includes GRE tunnels).
 	const ip_tunnel_timeout = 24hrs &redef;
+
+	## Whether to validate the checksum supplied in the outer UDP header
+	## of a VXLAN encapsulation.  The spec says the checksum should be
+	## transmitted as zero, but if not, then the decapsulating destination
+	## may choose whether to perform the validation.
+	const validate_vxlan_checksums = T &redef;
+
+	## The set of UDP ports used for VXLAN traffic.  Traffic using this
+	## UDP destination port will attempt to be decapsulated.  Note that if
+	## if you customize this, you may still want to manually ensure that
+	## :bro:see:`likely_server_ports` also gets populated accordingly.
+	const vxlan_ports: set[port] = { 4789/udp };
 } # end export
 
 module Reporter;

src/TunnelEncapsulation.h

@@ -88,13 +88,20 @@ public:
 			return false;
 
 		if ( ec1.type == BifEnum::Tunnel::IP ||
-				 ec1.type == BifEnum::Tunnel::VXLAN ||
 		     ec1.type == BifEnum::Tunnel::GRE )
 			// Reversing endpoints is still same tunnel.
 			return ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
 			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
 			   (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));
 
+		if ( ec1.type == BifEnum::Tunnel::VXLAN )
+			// Reversing endpoints is still same tunnel, destination port is
+			// always the same.
+			return ec1.dst_port == ec2.dst_port &&
+			       ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
+			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
+			   (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));
+
 		return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr &&
 		       ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port &&
 		       ec1.uid == ec2.uid && ec1.proto == ec2.proto;

src/analyzer/Manager.cc

@@ -96,6 +96,18 @@ void Manager::InitPreScript()
 
 void Manager::InitPostScript()
 	{
+	auto id = global_scope()->Lookup("Tunnel::vxlan_ports");
+
+	if ( ! (id && id->ID_Val()) )
+		reporter->FatalError("Tunnel::vxlan_ports not defined");
+
+	auto table_val = id->ID_Val()->AsTableVal();
+	auto port_list = table_val->ConvertToPureList();
+
+	for ( auto i = 0; i < port_list->Length(); ++i )
+		vxlan_ports.emplace_back(port_list->Index(i)->AsPortVal()->Port());
+
+	Unref(port_list);
 	}
 
 void Manager::DumpDebug()

src/analyzer/Manager.h

@@ -22,6 +22,7 @@
 #define ANALYZER_MANAGER_H
 
 #include <queue>
+#include <vector>
 
 #include "Analyzer.h"
 #include "Component.h"
@@ -335,6 +336,13 @@ public:
 	void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p,
 			      Val* analyzer, double timeout);
 
+
+	/**
+	 * @return the UDP port numbers to be associated with VXLAN traffic.
+	 */
+	const std::vector<uint16>& GetVxlanPorts() const
+		{ return vxlan_ports; }
+
 private:
 	typedef set<Tag> tag_set;
 	typedef map<uint32, tag_set*> analyzer_map_by_port;
@@ -390,6 +398,7 @@ private:
 
 	conns_map conns;
 	conns_queue conns_by_timeout;
+	std::vector<uint16> vxlan_ports;
 };
 
 }

src/analyzer/protocol/udp/UDP.cc

@@ -7,6 +7,7 @@
 #include "Net.h"
 #include "NetVar.h"
 #include "analyzer/protocol/udp/UDP.h"
+#include "analyzer/Manager.h"
 #include "Reporter.h"
 #include "Conn.h"
 
@@ -61,7 +62,30 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 
 	int chksum = up->uh_sum;
 
-	if ( ! ignore_checksums && caplen >= len )
+	auto validate_checksum = ! ignore_checksums && caplen >=len;
+	constexpr auto vxlan_len = 8;
+	constexpr auto eth_len = 14;
+
+	if ( validate_checksum &&
+	     len > (sizeof(struct udphdr) + vxlan_len + eth_len) &&
+	     (data[0] & 0x08) == 0x08 )
+		{
+		auto& vxlan_ports = analyzer_mgr->GetVxlanPorts();
+
+		if ( std::find(vxlan_ports.begin(), vxlan_ports.end(),
+		               ntohs(up->uh_dport)) != vxlan_ports.end() )
+			{
+			// Looks like VXLAN on a well-known port, so the checksum should be
+			// transmitted as zero, and we should accept that.  If not
+			// transmitted as zero, then validating the checksum is optional.
+			if ( chksum == 0 )
+				validate_checksum = false;
+			else
+				validate_checksum = BifConst::Tunnel::validate_vxlan_checksums;
+			}
+		}
+
+	if ( validate_checksum )
 		{
 		bool bad = false;
 

src/analyzer/protocol/vxlan/VXLAN.cc

@@ -3,7 +3,6 @@
 #include "TunnelEncapsulation.h"
 #include "Conn.h"
 #include "IP.h"
-#include "../arp/ARP.h"
 #include "Reporter.h"
 
 #include "events.bif.h"
@@ -16,154 +15,86 @@ void VXLAN_Analyzer::Done()
 	Event(udp_session_done);
 	}
 
-bool VXLANEncapsulation::DoParse(const u_char* data, int& len)
-	{
-		int eth_len = 14;
-		int vxlan_len = 8;
-		int eth_mac = 6;
-		int proto = 0;
-		reporter->Error("VXLANEncapsulation::DoParse len: %d", len);
-		/* Note: outer Ethernet, IP, UDP layers already skipped */
-		if ( len < vxlan_len )
-		{
-			Weird("VXLAN_truncated missing VXLAN header");
-			return false;
-		}
-		/* Flags (8 bits): where the I flag MUST be set to 1 for a valid
-			 VXLAN Network ID (VNI).  The other 7 bits (designated "R") are
-			 reserved fields and MUST be set to zero on transmission and
-			 ignored on receipt.*/
-		if ( ! (data[0] & 0x8) )
-		{
-			Weird("VXLAN_flags packet missing I flag set ");
-			return false;
-		}
-		if ( len < vxlan_len + eth_len )
-		{
-			Weird("VXLAN_truncated missing inner packet header");
-			return false;
-		}
-		printf("Checking packet ethertype for inner packet:\n");
-		uint16 proto_typ = ntohs(*((uint16*)(data+vxlan_len+2*eth_mac)));
-		if ( proto_typ == 0x0800 )
-			proto = IPPROTO_IPV4;
-		else if ( proto_typ == 0x86dd )
-			proto = IPPROTO_IPV6;
-		else		{
-			Weird("VXLAN_ethertype inner packet should be ethertype: IPv4 or IPv6");
-			int i;
-			for (i=0; i < 2; i++)
-				printf("%02x ",data[vxlan_len+2*eth_mac+i]);
-			return false;
-		}
-		data += vxlan_len + eth_len;
-		len -= vxlan_len + eth_len;
-		inner_ip = data;
-		return true;
-	}
-
-RecordVal* VXLANEncapsulation::BuildVal(const IP_Hdr* inner) const
-	{
-	static RecordType* vxlan_hdr_type = 0;
-	static RecordType* vxlan_auth_type = 0;
-	static RecordType* vxlan_origin_type = 0;
-	reporter->Error("VXLANEncapsulation::BuildVal");
-
-	RecordVal* vxlan_hdr = new RecordVal(vxlan_hdr_type);
-	vxlan_hdr->Assign(1, inner->BuildPktHdrVal());
-	return vxlan_hdr;
-	}
-
 void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
                                    uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-	/* Note: it seems we get the packet AFTER UDP header. */
 
-	VXLANEncapsulation vx(this);
+	// Outer Ethernet, IP, and UDP layers already skipped.
+	// Also, generic UDP analyzer already checked/guarantees caplen >= len.
 
-	// If a carried packet has ethernet, this will help skip it.
+	constexpr auto vxlan_len = 8;
-	int eth_len = 14;
-	int udp_len = 8;
-	int vlan_len = 4;
-	int vxlan_len = 8;
-	int eth_mac = 6;
-	int i = 0;
-	int vni= 0;
-	int proto = 0;
 
-	const EncapsulationStack* e = Conn()->GetEncapsulation();
-	IP_Hdr* inner = 0;
-	int rslt = sessions->ParseIPPacket(len, data + vxlan_len + eth_len, IPPROTO_IPV4, inner);
-
-	reporter->Info("VXLAN_Analyzer::DeliverPacket");
-	reporter->Info("len: %d", len);
-	printf("Packet hex:\n");
-	for (i=0; i < len; i++)
-		printf("%0x ",data[i]);
-	printf("\n");
-	/* Note: outer Ethernet, IP, UDP layers already skipped */
 	if ( len < vxlan_len )
 		{
-		Weird("VXLAN_truncated missing VXLAN header");
+		ProtocolViolation("VXLAN header truncation", (const char*) data, len);
 		return;
 		}
-	/* Flags (8 bits): where the I flag MUST be set to 1 for a valid
+
-		 VXLAN Network ID (VNI).  The other 7 bits (designated "R") are
+	if ( (data[0] & 0x08) == 0 )
-		 reserved fields and MUST be set to zero on transmission and
-		 ignored on receipt.*/
-	if ( ! (data[0] & 0x8) )
 		{
-		Weird("VXLAN_flags packet missing I flag set ");
+		ProtocolViolation("VXLAN 'I' flag not set", (const char*) data, len);
 		return;
 		}
-	if ( len < vxlan_len + eth_len )
+
+	const EncapsulationStack* estack = Conn()->GetEncapsulation();
+
+	if ( estack && estack->Depth() >= BifConst::Tunnel::max_depth )
 		{
-		Weird("VXLAN_truncated missing inner packet header");
+		reporter->Weird(Conn(), "tunnel_depth");
 		return;
 		}
-	printf("Checking packet ethertype for inner packet:\n");
+
-	uint16 proto_typ = ntohs(*((uint16*)(data+vxlan_len+2*eth_mac)));
+	int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
-	switch (proto_typ)
+
+	data += vxlan_len;
+	caplen -= vxlan_len;
+	len -= vxlan_len;
+
+	pkt_timeval ts;
+	ts.tv_sec = (time_t) current_timestamp;
+	ts.tv_usec = (suseconds_t) ((current_timestamp - (double)ts.tv_sec) * 1000000);
+	Packet pkt(DLT_EN10MB, &ts, caplen, len, data);
+
+	if ( ! pkt.Layer2Valid() )
 		{
-		case 0x0800:
+		ProtocolViolation("VXLAN invalid inner ethernet frame",
-			proto = IPPROTO_IPV4;
+		                  (const char*) data, len);
+		return;
+		}
+
+	data += pkt.hdr_size;
+	len -= pkt.hdr_size;
+	caplen -= pkt.hdr_size;
+
+	IP_Hdr* inner = nullptr;
+	int res = 0;
+
+	switch ( pkt.l3_proto ) {
+		case L3_IPV4:
+			res = sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner);
 			break;
-  	case 0x86dd:
+		case L3_IPV6:
-			proto = IPPROTO_IPV6;
+			res = sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner);
-			break;
-		case 0x8100:
-		case 0x9100:
-			/* 802.1q / 802.1ad */
-			proto = proto_typ;
-			if (len < vxlan_len + eth_len + vlan_len)
-			{
-				Weird("VXLAN truncated inner packet VLAN ether header ");
-				return;
-			}
-      /* Set type then to next ethertype ? */
 			break;
 		default:
-			Weird("VXLAN_ethertype inner packet should be ethertype: VLAN, IPv4 or IPv6");
-			int i;
-			for (i=0; i < 2; i++)
-				printf("%02x ",data[vxlan_len+2*eth_mac+i]);
 			return;
-
 	}
 
-	printf("Packet safety checks done\n");
+	if ( res < 0 )
-	vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
+		{
-	printf("VXLAN VNI %d\n",vni);
+		delete inner;
+		ProtocolViolation("Truncated VXLAN or invalid inner IP",
+		                  (const char*) data, len);
+		return;
+		}
+
+	ProtocolConfirmation();
+
+	if ( vxlan_packet )
+		Conn()->Event(vxlan_packet, 0, inner->BuildPktHdrVal(),
+		              val_mgr->GetCount(vni));
 
-	/*	Do we want the inner packet with or without Ethernet header?
-	data += vxlan_len + udp_len + eth_len;
-	len -= vxlan_len + udp_len + eth_len;
-	caplen -= vxlan_len + udp_len + eth_len;
-*/
-	data += udp_len + vxlan_len;
-	len -= udp_len + vxlan_len;
-	caplen -= udp_len + vxlan_len;
 	EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN);
-	sessions->DoNextInnerPacket(network_time, 0, inner, e, ec);
+	sessions->DoNextInnerPacket(network_time, &pkt, inner, estack, ec);
 	}

src/analyzer/protocol/vxlan/VXLAN.h

@@ -9,11 +9,8 @@ namespace analyzer { namespace vxlan {
 
 class VXLAN_Analyzer : public analyzer::Analyzer {
 public:
-	explicit VXLAN_Analyzer(Connection* conn) : Analyzer("VXLAN", conn),
+	explicit VXLAN_Analyzer(Connection* conn)
-	                                    valid_orig(false), valid_resp(false)
+	    : Analyzer("VXLAN", conn)
-		{}
-
-	~VXLAN_Analyzer() override
 		{}
 
 	void Done() override;
@@ -23,63 +20,6 @@ public:
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new VXLAN_Analyzer(conn); }
-
-	/**
-	 * Emits a weird only if the analyzer has previously been able to
-	 * decapsulate a VXLAN packet in both directions or if *force* param is
-	 * set, since otherwise the weirds could happen frequently enough to be less
-	 * than helpful.  The *force* param is meant for cases where just one side
-	 * has a valid encapsulation and so the weird would be informative.
-	 */
-	void Weird(const char* name, bool force = false) const
-		{
-		if ( ProtocolConfirmed() || force )
-			reporter->Weird(Conn(), name);
-		}
-
-	/**
-	 * If the delayed confirmation option is set, then a valid encapsulation
-	 * seen from both end points is required before confirming.
-	 */
-/*	copied from Teredo, do we want this too for VXLAN?
-    void Confirm()
-		{
-		if ( ! BifConst::Tunnel::delay_vxlan_confirmation ||
-		     ( valid_orig && valid_resp ) )
-			ProtocolConfirmation();
-		}*/
-
-protected:
-	bool valid_orig;
-	bool valid_resp;
-};
-
-class VXLANEncapsulation {
-public:
-	explicit VXLANEncapsulation(const VXLAN_Analyzer* ta)
-		: inner_ip(0), analyzer(ta)
-		{}
-
-	/**
-	 * Returns whether input data parsed as a valid VXLAN encapsulation type.
-	 * If it was valid, the len argument is decremented appropriately.
-	 */
-	bool Parse(const u_char* data, int& len)
-		{ return DoParse(data, len); }
-
-	const u_char* InnerIP() const
-		{ return inner_ip; }
-
-	RecordVal* BuildVal(const IP_Hdr* inner) const;
-
-protected:
-	bool DoParse(const u_char* data, int& len);
-
-	void Weird(const char* name) const
-		{ analyzer->Weird(name); }
-
-	const u_char* inner_ip;
-	const VXLAN_Analyzer* analyzer;
 };
 
 } } // namespace analyzer::*

src/analyzer/protocol/vxlan/events.bif

@@ -5,8 +5,8 @@
 ##
 ## inner: The VXLAN-encapsulated Ethernet packet header and transport header.
 ##
-## .. bro:see:: vxlan_authentication vxlan_origin_indication vxlan_bubble
+## vni: VXLAN Network Identifier.
 ##
 ## .. note:: Since this event may be raised on a per-packet basis, handling
 ##    it may become particularly expensive for real-time analysis.
-event vxlan_packet%(outer: connection, inner: vxlan_hdr%);
+event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%);

src/const.bif

@@ -19,9 +19,9 @@ const Tunnel::enable_ayiya: bool;
 const Tunnel::enable_teredo: bool;
 const Tunnel::enable_gtpv1: bool;
 const Tunnel::enable_gre: bool;
-const Tunnel::enable_vxlan: bool;
 const Tunnel::delay_teredo_confirmation: bool;
 const Tunnel::delay_gtp_confirmation: bool;
 const Tunnel::ip_tunnel_timeout: interval;
+const Tunnel::validate_vxlan_checksums: bool;
 
 const Threading::heartbeat_interval: interval;

testing/btest/Baseline/core.print-bpf-filters/conn.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-12-58
+#open	2019-03-12-03-25-14
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1278600802.069419	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
-#close	2016-07-13-16-12-59
+#close	2019-03-12-03-25-14

testing/btest/Baseline/core.print-bpf-filters/output

@@ -3,28 +3,28 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2016-07-13-16-12-57
+#open	2019-03-12-03-25-12
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1468426377.846975	bro	ip or not ip	T	T
+1552361112.763592	bro	ip or not ip	T	T
-#close	2016-07-13-16-12-57
+#close	2019-03-12-03-25-12
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2016-07-13-16-12-58
+#open	2019-03-12-03-25-13
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1468426378.362651	bro	port 42	T	T
+1552361113.442916	bro	port 42	T	T
-#close	2016-07-13-16-12-58
+#close	2019-03-12-03-25-13
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2016-07-13-16-12-58
+#open	2019-03-12-03-25-14
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1468426378.944945	bro	(vlan) and (ip or not ip)	T	T
+1552361114.111534	bro	(vlan) and (ip or not ip)	T	T
-#close	2016-07-13-16-12-59
+#close	2019-03-12-03-25-14

testing/btest/Baseline/core.print-bpf-filters/output2

@@ -21,6 +21,7 @@
 1 4011
 2 443
 1 445
+1 4789
 1 502
 1 5060
 1 5072
@@ -54,8 +55,8 @@
 1 992
 1 993
 1 995
-61 and
+62 and
-60 or
+61 or
-61 port
+62 port
 42 tcp
-19 udp
+20 udp

testing/btest/Baseline/core.tunnels.vxlan/conn.log

@@ -3,12 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2018-10-18-11-51-46
+#open	2019-03-12-03-29-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1368908504.882198	CUY3VO38piNbzBWoCf	192.168.202.1	42710	192.168.203.1	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1467818432.676047	C4J4Th3PJpwUYZZ6gc	192.168.56.11	48134	192.168.56.12	4789	udp	vxlan	3.004434	424	0	S0	-	-	0	D	4	536	0	0	-
-1368908504.882536	C938WE2Zxjsr1dQt8	192.168.203.1	52102	192.168.202.1	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1467818432.675392	CHhAvVGS1DHFjwGM9	192.168.56.11	39924	192.168.56.12	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
-1368908504.925960	CPPxeT3vy9lhCeFyzf	192.168.202.1	32894	192.168.203.1	4789	udp	-	2.959399	424	0	S0	-	-	0	D	4	536	0	0	-
+1467818432.675732	ClEkJM2Vm5giqnMf4h	192.168.56.12	40908	192.168.56.11	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
-1368908504.837063	CAL8II3MrNKoLygbR	192.168.203.1	45149	192.168.202.1	4789	udp	-	3.004913	424	0	S0	-	-	0	D	4	536	0	0	-
+1467818432.676385	CUM0KZ3MLUfNB0cl11	192.168.56.12	38071	192.168.56.11	4789	udp	vxlan	3.004278	424	0	S0	-	-	0	D	4	536	0	0	-
-1368908504.837063	C3MYEy2ilZOiJASuTk	192.168.203.3	8	192.168.203.5	0	icmp	-	3.048296	224	224	OTH	-	-	0	-	4	336	4	336	CAL8II3MrNKoLygbR,CPPxeT3vy9lhCeFyzf
+1467818432.676047	CtPZjS20MLrsMUOJi2	10.0.0.1	8	10.0.0.2	0	icmp	-	3.004616	224	224	OTH	-	-	0	-	4	336	4	336	CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc
-#close	2018-10-18-11-51-46
+#close	2019-03-12-03-29-46

testing/btest/Baseline/core.tunnels.vxlan/out

@@ -0,0 +1,8 @@
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12111, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=36913, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12341, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37030, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12507, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37208, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12684, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37295, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123

testing/btest/Baseline/core.tunnels.vxlan/tunnel.log

@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#open	2018-10-18-11-51-46
+#open	2019-03-12-03-29-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1368908504.837063	CAL8II3MrNKoLygbR	192.168.203.1	45149	192.168.202.1	4789	Tunnel::VXLAN	Tunnel::DISCOVER
+1467818432.676047	C4J4Th3PJpwUYZZ6gc	192.168.56.11	48134	192.168.56.12	4789	Tunnel::VXLAN	Tunnel::DISCOVER
-1368908504.925960	CPPxeT3vy9lhCeFyzf	192.168.202.1	32894	192.168.203.1	4789	Tunnel::VXLAN	Tunnel::DISCOVER
+1467818432.676385	CUM0KZ3MLUfNB0cl11	192.168.56.12	38071	192.168.56.11	4789	Tunnel::VXLAN	Tunnel::DISCOVER
-1368908507.885359	CPPxeT3vy9lhCeFyzf	192.168.202.1	32894	192.168.203.1	4789	Tunnel::VXLAN	Tunnel::CLOSE
+1467818435.680663	C4J4Th3PJpwUYZZ6gc	192.168.56.11	48134	192.168.56.12	4789	Tunnel::VXLAN	Tunnel::CLOSE
-1368908507.885359	CAL8II3MrNKoLygbR	192.168.203.1	45149	192.168.202.1	4789	Tunnel::VXLAN	Tunnel::CLOSE
+1467818435.680663	CUM0KZ3MLUfNB0cl11	192.168.56.12	38071	192.168.56.11	4789	Tunnel::VXLAN	Tunnel::CLOSE
-#close	2018-10-18-11-51-46
+#close	2019-03-12-03-29-46

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro
     build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro
     build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro

testing/btest/Baseline/plugins.hooks/output

@@ -61,6 +61,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR)) -> <no result>
@@ -126,6 +127,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
@@ -154,6 +156,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
@@ -274,7 +277,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -459,7 +462,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -683,6 +686,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1
@@ -956,6 +960,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR))
@@ -1021,6 +1026,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
@@ -1049,6 +1055,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
@@ -1169,7 +1176,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1354,7 +1361,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1578,6 +1585,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_UDP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro)
@@ -1851,6 +1859,7 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
@@ -1916,6 +1925,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
@@ -1944,6 +1954,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Cluster::is_enabled()
 0.000000 | HookCallFunction Cluster::local_node_type()
@@ -2063,7 +2074,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2248,7 +2259,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2472,6 +2483,7 @@
 0.000000 | HookLoadFile  .<...>/Bro_UDP.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_Unified2.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_Unified2.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_VXLAN.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_X509.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_X509.functions.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_X509.ocsp_events.bif.bro
@@ -2678,7 +2690,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()

testing/btest/core/tunnels/vxlan.bro

@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/vxlan.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+event vxlan_packet(c: connection, inner: pkt_hdr, vni: count)
+	{
+	print "vxlan_packet", c$id, inner, vni;
+	}

testing/btest/core/tunnels/vxlan.test

@@ -1,3 +0,0 @@
-# @TEST-EXEC: bro -r $TRACES/tunnels/vxlan-sample.pcap
-# @TEST-EXEC: btest-diff conn.log
-# @TEST-EXEC: btest-diff tunnel.log