From 195b87b873362835c528a406d6fbece9bbfaabed Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 24 Mar 2025 15:20:30 -0700
Subject: [PATCH] Make SNAP analyzer use both OUI and protocol for forwarding

---
 src/packet_analysis/protocol/snap/SNAP.cc         |  12 ++++++------
 .../unknown_protocols.log                         |  11 +++++++++++
 testing/btest/Traces/README                       |   2 ++
 testing/btest/Traces/cdp-v1.pcap                  | Bin 0 -> 340 bytes
 .../scripts/base/protocols/snap/snap-cdp.test     |   4 ++++
 5 files changed, 23 insertions(+), 6 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.snap.snap-cdp/unknown_protocols.log
 create mode 100644 testing/btest/Traces/cdp-v1.pcap
 create mode 100644 testing/btest/scripts/base/protocols/snap/snap-cdp.test

diff --git a/src/packet_analysis/protocol/snap/SNAP.cc b/src/packet_analysis/protocol/snap/SNAP.cc
index 36bd4236a6..f09b9950b6 100644
--- a/src/packet_analysis/protocol/snap/SNAP.cc
+++ b/src/packet_analysis/protocol/snap/SNAP.cc
@@ -36,11 +36,11 @@ bool SNAPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
     data += 5;
     len -= 5;
 
-    if ( oui == 0 ) {
-        // If the OUI is zero, the protocol is a standard ethertype and can be
-        // forwarded as such.
-        return ForwardPacket(len, data, packet, protocol);
-    }
+    // Protocol values for SNAP can differ based what OUI publishes them, so use a
+    // combination of them for the identifier used to forward.
+    int64_t identifier = oui;
+    identifier <<= 16;
+    identifier |= protocol;
 
-    return true;
+    return ForwardPacket(len, data, packet, identifier);
 }
diff --git a/testing/btest/Baseline/scripts.base.protocols.snap.snap-cdp/unknown_protocols.log b/testing/btest/Baseline/scripts.base.protocols.snap.snap-cdp/unknown_protocols.log
new file mode 100644
index 0000000000..01a7c037c7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snap.snap-cdp/unknown_protocols.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	unknown_protocols
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	analyzer	protocol_id	first_bytes	analyzer_history
+#types	time	string	string	string	vector[string]
+XXXXXXXXXX.XXXXXX	SNAP	0xc2000	01b4dff0000100065231	ETHERNET,SNAP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README
index b26ef4424b..6f9576cb71 100644
--- a/testing/btest/Traces/README
+++ b/testing/btest/Traces/README
@@ -48,3 +48,5 @@ Trace Index/Sources:
   https://zeekorg.slack.com/archives/CSZBXF6TH/p1738261449655049
 - tunnels/geneve-tagged-udp-packet.pcap
   Provided by Eldon Koyle Corelight for testing.
+- cdp-v1.pcap
+  From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures.
\ No newline at end of file
diff --git a/testing/btest/Traces/cdp-v1.pcap b/testing/btest/Traces/cdp-v1.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cde058b52df32b25de2cd1575b60b78eff0bdebf
GIT binary patch
literal 340
zcmYL@!AiqG5Qb;lS|nD%gV!?01d@_%AvE4fh)}3jlA?G_(`^$pN!hHFK8`o(QG9@c
z*BmW)QXj!LsGAmXU=IKM^Ur+mZ!b?3sKH-tw*W+n@j7rn`$wQlQ8s}_Q55jq+-%NB
zbG51hG!V$^*N?R79)${=$`~P}fZF<5Ay9>5S451bOqlY)Vd=sFd^m9)X4p@~&RS&r
z9*1+r0}-b)^q09{3HsSoECS9@=?{HWMWP|KO!I%PI;A$Q?u>z^;|=3^oTW%<tF6+u
zcCDl54&0vaqCdPC-S#{e)oDmI#mVMN9?v3yYAA2oUCW@h-No?|!yVTiAlD^e*plnX
lJbqvk96d5LJH}<e4Y_Sv=bcWOndD(4IR(_=WS^H<^cPh*T*d$Z

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/snap/snap-cdp.test b/testing/btest/scripts/base/protocols/snap/snap-cdp.test
new file mode 100644
index 0000000000..f910f38f95
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/snap/snap-cdp.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -r $TRACES/cdp-v1.pcap %INPUT
+# @TEST-EXEC: btest-diff unknown_protocols.log
+
+@load policy/misc/unknown-protocols
\ No newline at end of file