diff --git a/src/packet_analysis/protocol/icmp/ICMP.cc b/src/packet_analysis/protocol/icmp/ICMP.cc index 90d5e6b079..2a68497874 100644 --- a/src/packet_analysis/protocol/icmp/ICMP.cc +++ b/src/packet_analysis/protocol/icmp/ICMP.cc @@ -801,66 +801,6 @@ zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* dat return vv; } -int ICMPAnalyzer::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) - { - is_one_way = false; - - // Return the counterpart type if one exists. This allows us - // to track corresponding ICMP requests/replies. - // Note that for the two-way ICMP messages, icmp_code is - // always 0 (RFC 792). - switch ( icmp_type ) { - case ICMP_ECHO: return ICMP_ECHOREPLY; - case ICMP_ECHOREPLY: return ICMP_ECHO; - - case ICMP_TSTAMP: return ICMP_TSTAMPREPLY; - case ICMP_TSTAMPREPLY: return ICMP_TSTAMP; - - case ICMP_IREQ: return ICMP_IREQREPLY; - case ICMP_IREQREPLY: return ICMP_IREQ; - - case ICMP_ROUTERSOLICIT: return ICMP_ROUTERADVERT; - case ICMP_ROUTERADVERT: return ICMP_ROUTERSOLICIT; - - case ICMP_MASKREQ: return ICMP_MASKREPLY; - case ICMP_MASKREPLY: return ICMP_MASKREQ; - - default: is_one_way = true; return icmp_code; - } - } - -int ICMPAnalyzer::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) - { - is_one_way = false; - - switch ( icmp_type ) { - case ICMP6_ECHO_REQUEST: return ICMP6_ECHO_REPLY; - case ICMP6_ECHO_REPLY: return ICMP6_ECHO_REQUEST; - - case ND_ROUTER_SOLICIT: return ND_ROUTER_ADVERT; - case ND_ROUTER_ADVERT: return ND_ROUTER_SOLICIT; - - case ND_NEIGHBOR_SOLICIT: return ND_NEIGHBOR_ADVERT; - case ND_NEIGHBOR_ADVERT: return ND_NEIGHBOR_SOLICIT; - - case MLD_LISTENER_QUERY: return MLD_LISTENER_REPORT; - case MLD_LISTENER_REPORT: return MLD_LISTENER_QUERY; - - // ICMP node information query and response respectively (not defined in - // icmp6.h) - case 139: return 140; - case 140: return 139; - - // Home Agent Address Discovery Request Message and reply - case 144: return 145; - case 145: return 144; - - // TODO: Add further counterparts. - - default: is_one_way = true; return icmp_code; - } - } - void ICMPSessionAdapter::AddExtraAnalyzers(Connection* conn) { static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE"); @@ -930,3 +870,67 @@ void ICMPSessionAdapter::Done() SessionAdapter::Done(); matcher_state.FinishEndpointMatcher(); } + +namespace zeek::packet_analysis::ICMP { + +int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) + { + is_one_way = false; + + // Return the counterpart type if one exists. This allows us + // to track corresponding ICMP requests/replies. + // Note that for the two-way ICMP messages, icmp_code is + // always 0 (RFC 792). + switch ( icmp_type ) { + case ICMP_ECHO: return ICMP_ECHOREPLY; + case ICMP_ECHOREPLY: return ICMP_ECHO; + + case ICMP_TSTAMP: return ICMP_TSTAMPREPLY; + case ICMP_TSTAMPREPLY: return ICMP_TSTAMP; + + case ICMP_IREQ: return ICMP_IREQREPLY; + case ICMP_IREQREPLY: return ICMP_IREQ; + + case ICMP_ROUTERSOLICIT: return ICMP_ROUTERADVERT; + case ICMP_ROUTERADVERT: return ICMP_ROUTERSOLICIT; + + case ICMP_MASKREQ: return ICMP_MASKREPLY; + case ICMP_MASKREPLY: return ICMP_MASKREQ; + + default: is_one_way = true; return icmp_code; + } + } + +int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) + { + is_one_way = false; + + switch ( icmp_type ) { + case ICMP6_ECHO_REQUEST: return ICMP6_ECHO_REPLY; + case ICMP6_ECHO_REPLY: return ICMP6_ECHO_REQUEST; + + case ND_ROUTER_SOLICIT: return ND_ROUTER_ADVERT; + case ND_ROUTER_ADVERT: return ND_ROUTER_SOLICIT; + + case ND_NEIGHBOR_SOLICIT: return ND_NEIGHBOR_ADVERT; + case ND_NEIGHBOR_ADVERT: return ND_NEIGHBOR_SOLICIT; + + case MLD_LISTENER_QUERY: return MLD_LISTENER_REPORT; + case MLD_LISTENER_REPORT: return MLD_LISTENER_QUERY; + + // ICMP node information query and response respectively (not defined in + // icmp6.h) + case 139: return 140; + case 140: return 139; + + // Home Agent Address Discovery Request Message and reply + case 144: return 145; + case 145: return 144; + + // TODO: Add further counterparts. + + default: is_one_way = true; return icmp_code; + } + } + +} // namespace zeek::packet_analysis::ICMP diff --git a/src/packet_analysis/protocol/icmp/ICMP.h b/src/packet_analysis/protocol/icmp/ICMP.h index 2ba00134c8..eec1eaaac6 100644 --- a/src/packet_analysis/protocol/icmp/ICMP.h +++ b/src/packet_analysis/protocol/icmp/ICMP.h @@ -99,11 +99,6 @@ private: ICMPSessionAdapter* adapter); void UpdateEndpointVal(const ValPtr& endp, bool is_orig); - - // Returns the counterpart type to the given type (e.g., the counterpart - // to ICMP_ECHOREPLY is ICMP_ECHO). - int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); - int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); }; class ICMPSessionAdapter final : public IP::SessionAdapter { @@ -135,5 +130,10 @@ private: int reply_len = -1; }; +// Returns the counterpart type to the given type (e.g., the counterpart +// to ICMP_ECHOREPLY is ICMP_ECHO). +extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); +extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); + } // namespace packet_analysis::ICMP } // namespace zeek