Add GTPv1 packet analyzer, disable old analyzer

scripts/base/frameworks/tunnels/main.zeek

@@ -90,14 +90,9 @@ export {
 	global finalize_tunnel: Conn::RemovalHook;
 }
 
-const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { gtpv1_ports };
-
 event zeek_init() &priority=5
 	{
 	Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
-
-	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	}
 
 function register_all(ecv: EncapsulatingConnVector)

scripts/base/packet-protocols/__load__.zeek

@@ -25,3 +25,4 @@
 @load base/packet-protocols/geneve
 @load base/packet-protocols/vxlan
 @load base/packet-protocols/teredo
+@load base/packet-protocols/gtpv1

scripts/base/packet-protocols/gtpv1/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/gtpv1/main.zeek

@@ -0,0 +1,28 @@
+module PacketAnalyzer::GTPV1;
+
+# This needs to be loaded here so the function is available. Function BIFs normally aren't
+# loaded until after the packet analysis init scripts are run, and then zeek complains it
+# can't find the function.
+@load base/bif/plugins/Zeek_GTPv1.functions.bif
+
+# Needed for port registration for BPF
+@load base/frameworks/analyzer/main
+
+export {
+        ## Default analyzer
+        const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
+}
+
+const gtpv1_ports = { 2152/udp, 2123/udp };
+redef likely_server_ports += { gtpv1_ports };
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1);
+	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, gtpv1_ports);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	remove_gtpv1_connection(c$id);
+	}