Added skeletons for TCP/UDP/ICMP packet analysis plugins.

This includes integration into the IP plugin and calling of the sessions code from each plugin.

src/packet_analysis/protocol/CMakeLists.txt

@@ -15,6 +15,9 @@ add_subdirectory(linux_sll)
 
 add_subdirectory(arp)
 add_subdirectory(ip)
+add_subdirectory(udp)
+add_subdirectory(tcp)
+add_subdirectory(icmp)
 add_subdirectory(gre)
 add_subdirectory(iptunnel)
 add_subdirectory(vntag)

src/packet_analysis/protocol/icmp/CMakeLists.txt

@@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer ICMP_PKT)
+zeek_plugin_cc(ICMP.cc Plugin.cc)
+zeek_plugin_end()

src/packet_analysis/protocol/icmp/ICMP.cc

@@ -0,0 +1,22 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/icmp/ICMP.h"
+#include "zeek/RunState.h"
+#include "zeek/session/Manager.h"
+
+using namespace zeek::packet_analysis::ICMP;
+
+ICMPAnalyzer::ICMPAnalyzer()
+	: zeek::packet_analysis::Analyzer("ICMP_PKT")
+	{
+	}
+
+ICMPAnalyzer::~ICMPAnalyzer()
+	{
+	}
+
+bool ICMPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	session_mgr->ProcessTransportLayer(run_state::processing_start_time, packet, len);
+	return true;
+	}

src/packet_analysis/protocol/icmp/ICMP.h

@@ -0,0 +1,26 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::ICMP {
+
+class ICMPAnalyzer : public Analyzer {
+public:
+	ICMPAnalyzer();
+	~ICMPAnalyzer() override;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<ICMPAnalyzer>();
+		}
+
+private:
+
+};
+
+}

src/packet_analysis/protocol/icmp/Plugin.cc

@@ -0,0 +1,24 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/icmp/ICMP.h"
+
+namespace zeek::plugin::Zeek_ICMP {
+
+class Plugin : public zeek::plugin::Plugin {
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component("ICMP_PKT",
+		                 zeek::packet_analysis::ICMP::ICMPAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::ICMP_PKT";
+		config.description = "Packet analyzer for ICMP";
+		return config;
+		}
+
+} plugin;
+
+}

src/packet_analysis/protocol/ip/IP.cc

@@ -235,14 +235,6 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	packet->proto = proto;
 
 	switch ( proto ) {
-	case IPPROTO_TCP:
-	case IPPROTO_UDP:
-	case IPPROTO_ICMP:
-	case IPPROTO_ICMPV6:
-		DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.",
-		        GetAnalyzerName(), proto);
-		session_mgr->ProcessTransportLayer(run_state::processing_start_time, packet, len);
-		break;
 	case IPPROTO_NONE:
 		// If the packet is encapsulated in Teredo, then it was a bubble and
 		// the Teredo analyzer may have raised an event for that, else we're

src/packet_analysis/protocol/tcp/CMakeLists.txt

@@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer TCP_PKT)
+zeek_plugin_cc(TCP.cc Plugin.cc)
+zeek_plugin_end()

src/packet_analysis/protocol/tcp/Plugin.cc

@@ -0,0 +1,24 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/tcp/TCP.h"
+
+namespace zeek::plugin::Zeek_TCP {
+
+class Plugin : public zeek::plugin::Plugin {
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component("TCP_PKT",
+		                 zeek::packet_analysis::TCP::TCPAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::TCP_PKT";
+		config.description = "Packet analyzer for TCP";
+		return config;
+		}
+
+} plugin;
+
+}

src/packet_analysis/protocol/tcp/TCP.cc

@@ -0,0 +1,22 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/tcp/TCP.h"
+#include "zeek/RunState.h"
+#include "zeek/session/Manager.h"
+
+using namespace zeek::packet_analysis::TCP;
+
+TCPAnalyzer::TCPAnalyzer()
+	: zeek::packet_analysis::Analyzer("TCP_PKT")
+	{
+	}
+
+TCPAnalyzer::~TCPAnalyzer()
+	{
+	}
+
+bool TCPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	session_mgr->ProcessTransportLayer(run_state::processing_start_time, packet, len);
+	return true;
+	}

src/packet_analysis/protocol/tcp/TCP.h

@@ -0,0 +1,26 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::TCP {
+
+class TCPAnalyzer : public Analyzer {
+public:
+	TCPAnalyzer();
+	~TCPAnalyzer() override;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<TCPAnalyzer>();
+		}
+
+private:
+
+};
+
+}

src/packet_analysis/protocol/udp/CMakeLists.txt

@@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer UDP_PKT)
+zeek_plugin_cc(UDP.cc Plugin.cc)
+zeek_plugin_end()

src/packet_analysis/protocol/udp/Plugin.cc

@@ -0,0 +1,24 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/udp/UDP.h"
+
+namespace zeek::plugin::Zeek_UDP {
+
+class Plugin : public zeek::plugin::Plugin {
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component("UDP_PKT",
+		                 zeek::packet_analysis::UDP::UDPAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::UDP_PKT";
+		config.description = "Packet analyzer for UDP";
+		return config;
+		}
+
+} plugin;
+
+}

src/packet_analysis/protocol/udp/UDP.cc

@@ -0,0 +1,22 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/udp/UDP.h"
+#include "zeek/RunState.h"
+#include "zeek/session/Manager.h"
+
+using namespace zeek::packet_analysis::UDP;
+
+UDPAnalyzer::UDPAnalyzer()
+	: zeek::packet_analysis::Analyzer("UDP_PKT")
+	{
+	}
+
+UDPAnalyzer::~UDPAnalyzer()
+	{
+	}
+
+bool UDPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	session_mgr->ProcessTransportLayer(run_state::processing_start_time, packet, len);
+	return true;
+	}

src/packet_analysis/protocol/udp/UDP.h

@@ -0,0 +1,26 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::UDP {
+
+class UDPAnalyzer : public Analyzer {
+public:
+	UDPAnalyzer();
+	~UDPAnalyzer() override;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<UDPAnalyzer>();
+		}
+
+private:
+
+};
+
+}