Add GTPv1 packet analyzer, disable old analyzer

src/packet_analysis/Analyzer.h

@@ -173,6 +173,18 @@ public:
 		       session::AnalyzerConfirmationState::VIOLATED;
 		}
 
+	/**
+	 * Reports a Weird with the analyzer's name included in the addl field.
+	 *
+	 * @param name The name of the weird.
+	 * @param packet An optional pointer to a packet to be used for additional
+	 * information in the weird output.
+	 * @param addl An optional string containing additional information about
+	 * the weird. If this is passed, the analyzer's name will be prepended to
+	 * it before output.
+	 */
+	void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const;
+
 protected:
 	friend class Manager;
 
@@ -227,18 +239,6 @@ protected:
 	 */
 	bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;
 
-	/**
-	 * Reports a Weird with the analyzer's name included in the addl field.
-	 *
-	 * @param name The name of the weird.
-	 * @param packet An optional pointer to a packet to be used for additional
-	 * information in the weird output.
-	 * @param addl An optional string containing additional information about
-	 * the weird. If this is passed, the analyzer's name will be prepended to
-	 * it before output.
-	 */
-	void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const;
-
 private:
 	zeek::Tag tag;
 	Dispatcher dispatcher;

src/packet_analysis/protocol/CMakeLists.txt

@@ -26,3 +26,4 @@ add_subdirectory(ayiya)
 add_subdirectory(geneve)
 add_subdirectory(vxlan)
 add_subdirectory(teredo)
+add_subdirectory(gtpv1)

src/packet_analysis/protocol/gtpv1/CMakeLists.txt

@@ -0,0 +1,11 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(Zeek GTPv1)
+zeek_plugin_cc(GTPv1.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac)
+zeek_plugin_end()

src/packet_analysis/protocol/gtpv1/GTPv1.cc

@@ -0,0 +1,102 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
+
+#include "zeek/packet_analysis/protocol/gtpv1/events.bif.h"
+#include "zeek/packet_analysis/protocol/ip/IP.h"
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+
+namespace zeek::packet_analysis::gtpv1
+	{
+GTPv1_Analyzer::GTPv1_Analyzer() : zeek::packet_analysis::Analyzer("GTPV1") { }
+
+bool GTPv1_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// GTPv1 always comes from a UDP connection, which means that session should always
+	// be valid and always be a connection. Return a weird if we didn't have a session
+	// stored.
+	if ( ! packet->session )
+		{
+		Analyzer::Weird("gtpv1_missing_connection");
+		return false;
+		}
+
+	auto conn = static_cast<Connection*>(packet->session);
+	zeek::detail::ConnKey conn_key = conn->Key();
+
+	auto cm_it = conn_map.find(conn_key);
+	if ( cm_it == conn_map.end() )
+		cm_it = conn_map.insert(cm_it,
+		                        {conn_key, std::make_unique<binpac::GTPv1::GTPv1_Conn>(this)});
+
+	try
+		{
+		cm_it->second->set_raw_packet(packet);
+		cm_it->second->NewData(packet->is_orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()), packet->session);
+		return false;
+		}
+
+	// Inner packet offset not being set means we failed to process somewhere, and SetInnerInfo()
+	// was never called by the binpac code. Assume this is a failure and return false.
+	if ( inner_packet_offset <= 0 )
+		return false;
+
+	auto odata = data;
+	auto olen = len;
+	data += inner_packet_offset;
+	len -= inner_packet_offset;
+	inner_packet_offset = -1;
+
+	// TODO: i'm not sure about this. on the one hand, we do some error checking with the result
+	// but on the other hand we duplicate this work here. maybe this header could just be stored
+	// and reused in the IP analyzer somehow?
+	std::shared_ptr<IP_Hdr> inner = nullptr;
+	int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner);
+
+	if ( result == 0 )
+		{
+		cm_it->second->set_valid(packet->is_orig, true);
+
+		if ( (! BifConst::Tunnel::delay_gtp_confirmation) ||
+		     (cm_it->second->valid(true) && cm_it->second->valid(false)) )
+			AnalyzerConfirmation(packet->session);
+
+		if ( gtp_hdr_val )
+			{
+			BifEvent::enqueue_gtpv1_g_pdu_packet(nullptr, conn, std::move(gtp_hdr_val),
+			                                     inner->ToPktHdrVal());
+			gtp_hdr_val = nullptr;
+			}
+		}
+	else if ( result == -2 )
+		{
+		AnalyzerViolation("Invalid IP version in wrapped packet", packet->session);
+		gtp_hdr_val = nullptr;
+		return false;
+		}
+	else if ( result < 0 )
+		{
+		AnalyzerViolation("Truncated GTPv1", packet->session);
+		gtp_hdr_val = nullptr;
+		return false;
+		}
+	else
+		{
+		AnalyzerViolation("GTPv1 payload length", packet->session);
+		gtp_hdr_val = nullptr;
+		return false;
+		}
+
+	int encap_index = 0;
+	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
+		packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::GTPv1,
+		GetAnalyzerTag());
+
+	return ForwardPacket(len, data, inner_packet.get());
+	}
+
+	} // namespace zeek::packet_analysis::gtpv1

src/packet_analysis/protocol/gtpv1/GTPv1.h

@@ -0,0 +1,46 @@
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+
+#include "packet_analysis/protocol/gtpv1/gtpv1_pac.h"
+
+namespace binpac::GTPv1
+	{
+class GTPv1_Conn;
+	}
+
+namespace zeek::packet_analysis::gtpv1
+	{
+
+class GTPv1_Analyzer final : public packet_analysis::Analyzer
+	{
+public:
+	explicit GTPv1_Analyzer();
+	~GTPv1_Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<GTPv1_Analyzer>();
+		}
+
+	void SetInnerInfo(int offset, uint8_t next, RecordValPtr val)
+		{
+		inner_packet_offset = offset;
+		next_header = next;
+		gtp_hdr_val = std::move(val);
+		}
+
+	void RemoveConnection(const zeek::detail::ConnKey& conn_key) { conn_map.erase(conn_key); }
+
+protected:
+	using ConnMap = std::map<zeek::detail::ConnKey, std::unique_ptr<binpac::GTPv1::GTPv1_Conn>>;
+	ConnMap conn_map;
+
+	int inner_packet_offset = -1;
+	uint8_t next_header = 0;
+	RecordValPtr gtp_hdr_val;
+	};
+
+	} // namespace zeek::packet_analysis::gtpv1

src/packet_analysis/protocol/gtpv1/Plugin.cc

@@ -0,0 +1,26 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
+
+namespace zeek::plugin::detail::Zeek_GTPv1
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure() override
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"GTPv1", zeek::packet_analysis::gtpv1::GTPv1_Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::GTPv1";
+		config.description = "GTPv1 analyzer";
+		return config;
+		}
+	} plugin;
+
+	} // namespace zeek::plugin::detail::Zeek_GTPv1

src/packet_analysis/protocol/gtpv1/events.bif

@@ -0,0 +1,74 @@
+## Generated for any GTP message with a GTPv1 header.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+event gtpv1_message%(c: connection, hdr: gtpv1_hdr%);
+
+## Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
+## that includes a GTP header followed by an IPv4 or IPv6 packet.
+##
+## outer: The GTP outer tunnel connection.
+##
+## inner_gtp: The GTP header.
+##
+## inner_ip: The inner IP and transport layer packet headers.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
+
+## Generated for GTPv1-C Create PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Create PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%);
+
+## Generated for GTPv1-C Update PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Update PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%);
+
+## Generated for GTPv1-C Delete PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Delete PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%);
+

src/packet_analysis/protocol/gtpv1/functions.bif

@@ -0,0 +1,20 @@
+module PacketAnalyzer::GTPV1;
+
+%%{
+#include "zeek/Conn.h"
+#include "zeek/session/Manager.h"
+#include "zeek/packet_analysis/Manager.h"
+#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
+%%}
+
+function remove_gtpv1_connection%(cid: conn_id%) : bool
+	%{
+	zeek::packet_analysis::AnalyzerPtr gtpv1 = zeek::packet_mgr->GetAnalyzer("GTPv1");
+	if ( gtpv1 )
+		{
+		zeek::detail::ConnKey conn_key(cid);
+		static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(conn_key);
+		}
+
+	return zeek::val_mgr->True();
+	%}

src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac

@@ -0,0 +1,759 @@
+%extern{
+#include "zeek/ZeekString.h"
+#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
+%}
+
+%code{
+zeek::RecordValPtr BuildGTPv1Hdr(const GTPv1_Header* pdu)
+	{
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtpv1_hdr);
+
+	rv->Assign(0, pdu->version());
+	rv->Assign(1, pdu->pt_flag());
+	rv->Assign(2, pdu->rsv());
+	rv->Assign(3, pdu->e_flag());
+	rv->Assign(4, pdu->s_flag());
+	rv->Assign(5, pdu->pn_flag());
+	rv->Assign(6, pdu->msg_type());
+	rv->Assign(7, pdu->length());
+	rv->Assign(8, pdu->teid());
+
+	if ( pdu->has_opt() )
+		{
+		rv->Assign(9, pdu->opt_hdr()->seq());
+		rv->Assign(10, pdu->opt_hdr()->n_pdu());
+		rv->Assign(11, pdu->opt_hdr()->next_type());
+		}
+
+	return rv;
+	}
+
+static zeek::ValPtr BuildIMSI(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->imsi()->value());
+	}
+
+static zeek::ValPtr BuildRAI(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_rai);
+	ev->Assign(0, ie->rai()->mcc());
+	ev->Assign(1, ie->rai()->mnc());
+	ev->Assign(2, ie->rai()->lac());
+	ev->Assign(3, ie->rai()->rac());
+	return ev;
+	}
+
+static zeek::ValPtr BuildRecovery(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->recovery()->restart_counter());
+	}
+
+static zeek::ValPtr BuildSelectionMode(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->selection_mode()->mode());
+	}
+
+static zeek::ValPtr BuildTEID1(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->teid1()->value());
+	}
+
+static zeek::ValPtr BuildTEID_ControlPlane(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->teidcp()->value());
+	}
+
+static zeek::ValPtr BuildNSAPI(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->nsapi()->nsapi());
+	}
+
+static zeek::ValPtr BuildChargingCharacteristics(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->charging_characteristics()->value());
+	}
+
+static zeek::ValPtr BuildTraceReference(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->trace_reference()->value());
+	}
+
+static zeek::ValPtr BuildTraceType(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->trace_type()->value());
+	}
+
+zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_end_user_addr);
+	ev->Assign(0, ie->end_user_addr()->pdp_type_org());
+	ev->Assign(1, ie->end_user_addr()->pdp_type_num());
+
+	int len = ie->end_user_addr()->pdp_addr().length();
+
+	if ( len > 0 )
+		{
+		const uint8* d = ie->end_user_addr()->pdp_addr().data();
+
+		switch ( ie->end_user_addr()->pdp_type_num() ) {
+		case 0x21:
+			ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
+			  zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
+			break;
+		case 0x57:
+			ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
+			  zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
+			break;
+		default:
+			ev->Assign(3, new zeek::String((const u_char*) d, len, false));
+			break;
+		}
+		}
+
+	return ev;
+	}
+
+zeek::ValPtr BuildAccessPointName(const InformationElement* ie)
+	{
+	zeek::String* bs = new zeek::String((const u_char*) ie->ap_name()->value().data(),
+	                                          ie->ap_name()->value().length(), false);
+	return zeek::make_intrusive<zeek::StringVal>(bs);
+	}
+
+zeek::ValPtr BuildProtoConfigOptions(const InformationElement* ie)
+	{
+	const u_char* d = (const u_char*) ie->proto_config_opts()->value().data();
+	int len = ie->proto_config_opts()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false));
+	}
+
+zeek::ValPtr BuildGSN_Addr(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_gsn_addr);
+
+	int len = ie->gsn_addr()->value().length();
+	const uint8* d = ie->gsn_addr()->value().data();
+
+	if ( len == 4 )
+		ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
+		  zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
+	else if ( len == 16 )
+		ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
+		  zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
+	else
+		ev->Assign(1, new zeek::String((const u_char*) d, len, false));
+
+	return ev;
+	}
+
+zeek::ValPtr BuildMSISDN(const InformationElement* ie)
+	{
+	const u_char* d = (const u_char*) ie->msisdn()->value().data();
+	int len = ie->msisdn()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false));
+	}
+
+zeek::ValPtr BuildQoS_Profile(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_qos_profile);
+
+	const u_char* d = (const u_char*) ie->qos_profile()->data().data();
+	int len = ie->qos_profile()->data().length();
+
+	ev->Assign(0, ie->qos_profile()->alloc_retention_priority());
+	ev->Assign(1, new zeek::String(d, len, false));
+
+	return ev;
+	}
+
+zeek::ValPtr BuildTrafficFlowTemplate(const InformationElement* ie)
+	{
+	const uint8* d = ie->traffic_flow_template()->value().data();
+	int len = ie->traffic_flow_template()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
+	}
+
+zeek::ValPtr BuildTriggerID(const InformationElement* ie)
+	{
+	const uint8* d = ie->trigger_id()->value().data();
+	int len = ie->trigger_id()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
+	}
+
+zeek::ValPtr BuildOMC_ID(const InformationElement* ie)
+	{
+	const uint8* d = ie->omc_id()->value().data();
+	int len = ie->omc_id()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
+	}
+
+zeek::ValPtr BuildPrivateExt(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_private_extension);
+
+	const uint8* d = ie->private_ext()->value().data();
+	int len = ie->private_ext()->value().length();
+
+	ev->Assign(0, ie->private_ext()->id());
+	ev->Assign(1, new zeek::String((const u_char*) d, len, false));
+
+	return ev;
+	}
+
+static zeek::ValPtr BuildCause(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->cause()->value());
+	}
+
+static zeek::ValPtr BuildReorderReq(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Bool(ie->reorder_req()->req());
+	}
+
+static zeek::ValPtr BuildChargingID(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->charging_id()->value());;
+	}
+
+zeek::ValPtr BuildChargingGatewayAddr(const InformationElement* ie)
+	{
+	const uint8* d = ie->charging_gateway_addr()->value().data();
+	int len = ie->charging_gateway_addr()->value().length();
+	if ( len == 4 )
+		return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network));
+	else if ( len == 16 )
+		return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network));
+	else
+		return nullptr;
+	}
+
+static zeek::ValPtr BuildTeardownInd(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Bool(ie->teardown_ind()->ind());
+	}
+
+void CreatePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_create_pdp_ctx_request ) return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_create_pdp_ctx_request_elements);
+
+	const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
+
+	bool second_nsapi = false;
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_IMSI:
+			rv->Assign(0, BuildIMSI(ie));
+			break;
+		case GTPv1::TYPE_RAI:
+			rv->Assign(1, BuildRAI(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(2, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_SELECTION_MODE:
+			rv->Assign(3, BuildSelectionMode(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(4, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(5, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_NSAPI:
+			if ( second_nsapi )
+				rv->Assign(7, BuildNSAPI(ie));
+			else
+				{
+				second_nsapi = true;
+				rv->Assign(6, BuildNSAPI(ie));
+				}
+			break;
+		case GTPv1::TYPE_CHARGING_CHARACTERISTICS:
+			rv->Assign(8, BuildChargingCharacteristics(ie));
+			break;
+		case GTPv1::TYPE_TRACE_REFERENCE:
+			rv->Assign(9, BuildTraceReference(ie));
+			break;
+		case GTPv1::TYPE_TRACE_TYPE:
+			rv->Assign(10, BuildTraceType(ie));
+			break;
+		case GTPv1::TYPE_END_USER_ADDR:
+			rv->Assign(11, BuildEndUserAddr(ie));
+			break;
+		case GTPv1::TYPE_ACCESS_POINT_NAME:
+			rv->Assign(12, BuildAccessPointName(ie));
+			break;
+		case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
+			rv->Assign(13, BuildProtoConfigOptions(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(15, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(14, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_MSISDN:
+			rv->Assign(16, BuildMSISDN(ie));
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(17, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
+			rv->Assign(18, BuildTrafficFlowTemplate(ie));
+			break;
+		case GTPv1::TYPE_TRIGGER_ID:
+			rv->Assign(19, BuildTriggerID(ie));
+			break;
+		case GTPv1::TYPE_OMC_ID:
+			rv->Assign(20, BuildOMC_ID(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(21, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void CreatePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_create_pdp_ctx_response )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_create_pdp_ctx_response_elements);
+
+	const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
+
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_CAUSE:
+			rv->Assign(0, BuildCause(ie));
+			break;
+		case GTPv1::TYPE_REORDER_REQ:
+			rv->Assign(1, BuildReorderReq(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(2, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(3, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(4, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_ID:
+			rv->Assign(5, BuildChargingID(ie));
+			break;
+		case GTPv1::TYPE_END_USER_ADDR:
+			rv->Assign(6, BuildEndUserAddr(ie));
+			break;
+		case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
+			rv->Assign(7, BuildProtoConfigOptions(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(9, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(8, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(10, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
+			rv->Assign(11, BuildChargingGatewayAddr(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(12, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void UpdatePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_update_pdp_ctx_request )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_update_pdp_ctx_request_elements);
+
+	const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
+
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_IMSI:
+			rv->Assign(0, BuildIMSI(ie));
+			break;
+		case GTPv1::TYPE_RAI:
+			rv->Assign(1, BuildRAI(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(2, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(3, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(4, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_NSAPI:
+			rv->Assign(5, BuildNSAPI(ie));
+			break;
+		case GTPv1::TYPE_TRACE_REFERENCE:
+			rv->Assign(6, BuildTraceReference(ie));
+			break;
+		case GTPv1::TYPE_TRACE_TYPE:
+			rv->Assign(7, BuildTraceType(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(9, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(8, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(10, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
+			rv->Assign(11, BuildTrafficFlowTemplate(ie));
+			break;
+		case GTPv1::TYPE_TRIGGER_ID:
+			rv->Assign(12, BuildTriggerID(ie));
+			break;
+		case GTPv1::TYPE_OMC_ID:
+			rv->Assign(13, BuildOMC_ID(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(14, BuildPrivateExt(ie));
+			break;
+		case GTPv1::TYPE_END_USER_ADDR:
+			rv->Assign(15, BuildEndUserAddr(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void UpdatePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_update_pdp_ctx_response )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_update_pdp_ctx_response_elements);
+
+	const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
+
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_CAUSE:
+			rv->Assign(0, BuildCause(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(1, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(2, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(3, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_ID:
+			rv->Assign(4, BuildChargingID(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(6, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(5, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(7, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
+			rv->Assign(8, BuildChargingGatewayAddr(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(9, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void DeletePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_delete_pdp_ctx_request )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_delete_pdp_ctx_request_elements);
+
+	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_TEARDOWN_IND:
+			rv->Assign(0, BuildTeardownInd(ie));
+			break;
+		case GTPv1::TYPE_NSAPI:
+			rv->Assign(1, BuildNSAPI(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(2, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void DeletePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_delete_pdp_ctx_response )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_delete_pdp_ctx_response_elements);
+
+	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_CAUSE:
+			rv->Assign(0, BuildCause(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(1, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+%}
+
+connection GTPv1_Conn(zeek_analyzer: ZeekPacketAnalyzer)
+	{
+	upflow = GTPv1_Flow(true);
+	downflow = GTPv1_Flow(false);
+
+	%member{
+		bool valid_orig;
+		bool valid_resp;
+		ZeekPacket* packet;
+	%}
+
+	%init{
+		valid_orig = valid_resp = false;
+	%}
+
+	function valid(orig: bool): bool
+		%{
+		return orig ? valid_orig : valid_resp;
+		%}
+
+	function set_valid(orig: bool, val: bool): void
+		%{
+		if ( orig )
+			valid_orig = val;
+		else
+			valid_resp = val;
+		%}
+
+	function set_raw_packet(p: ZeekPacket): void
+		%{
+		packet = p;
+		%}
+
+	function get_raw_packet(): ZeekPacket
+		%{
+		return packet;
+		%}
+	}
+
+flow GTPv1_Flow(is_orig: bool)
+	{
+	datagram = GTPv1_Header withcontext(connection, this);
+
+	function violate(r: string, pdu: GTPv1_Header): void
+		%{
+		ZeekPacketAnalyzer a = connection()->zeek_analyzer();
+		ZeekPacket* p = connection()->get_raw_packet();
+		a->AnalyzerViolation(r.c_str(), p->session);
+		%}
+
+	function process_gtpv1(pdu: GTPv1_Header): bool
+		%{
+		ZeekPacketAnalyzer a = connection()->zeek_analyzer();
+		ZeekPacket* p = connection()->get_raw_packet();
+		zeek::Connection* c = static_cast<zeek::Connection*>(p->session);
+		const std::shared_ptr<zeek::EncapsulationStack> e = p->encap;
+
+		connection()->set_valid(is_orig(), false);
+
+		if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth )
+			{
+			a->Weird("tunnel_depth");
+			return false;
+			}
+
+		if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 )
+			{
+			// GTP is never tunneled in GTP so, this must be a regular packet
+			violate("GTP-in-GTP", pdu);
+			return false;
+			}
+
+		if ( ${pdu.version} != 1 )
+			{
+			// Only know of GTPv1 with Version == 1
+			violate("GTPv1 bad Version", pdu);
+			return false;
+			}
+
+		if ( ! ${pdu.pt_flag} )
+			{
+			// Not interested in GTP
+			return false;
+			}
+
+		if ( ::gtpv1_message )
+			zeek::BifEvent::enqueue_gtpv1_message(nullptr, c, BuildGTPv1Hdr(pdu));
+
+		switch ( ${pdu.msg_type} ) {
+		case 16:
+			CreatePDP_Request(a, c, pdu);
+			return true;
+		case 17:
+			CreatePDP_Response(a, c, pdu);
+			return true;
+		case 18:
+			UpdatePDP_Request(a, c, pdu);
+			return true;
+		case 19:
+			UpdatePDP_Response(a, c, pdu);
+			return true;
+		case 20:
+			DeletePDP_Request(a, c, pdu);
+			return true;
+		case 21:
+			DeletePDP_Response(a, c, pdu);
+			return true;
+		case 255:
+			return process_g_pdu(pdu);
+		default:
+			return false;
+		}
+
+		return false;
+		%}
+
+	function process_g_pdu(pdu: GTPv1_Header): bool
+		%{
+		ZeekPacketAnalyzer a = connection()->zeek_analyzer();
+		ZeekPacket* p = connection()->get_raw_packet();
+		zeek::Connection* c = static_cast<zeek::Connection*>(p->session);
+
+		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
+			{
+			violate("Truncated GTPv1", pdu);
+			return false;
+			}
+
+		const struct ip* ip = (const struct ip*) ${pdu.packet}.data();
+
+		if ( ip->ip_v != 4 && ip->ip_v != 6 )
+			{
+			violate("non-IP packet in GTPv1", pdu);
+			return false;
+			}
+
+		int hdr_len = 8;
+
+		if ( pdu->has_opt() )
+			hdr_len += 4;
+
+		if ( pdu->e_flag() && pdu->ext_hdrs() )
+			for ( const auto& eh : *pdu->ext_hdrs() )
+				hdr_len += 2 + eh->contents().length();
+
+		auto next_hdr = ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4;
+		zeek::RecordValPtr hdr_val;
+
+		if ( ::gtpv1_g_pdu_packet )
+			hdr_val = BuildGTPv1Hdr(pdu);
+
+		static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(a)->SetInnerInfo(
+			hdr_len, next_hdr, std::move(hdr_val));
+
+		return true;
+		%}
+	};
+
+refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); };

src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac

@@ -0,0 +1,496 @@
+
+type GTPv1_Header = record {
+	flags:     uint8;
+	msg_type:  uint8;
+	length:    uint16;
+	teid:      uint32;
+
+	opt:       case has_opt of {
+		true  -> opt_hdr: GTPv1_Opt_Header;
+		false -> no_opt:  empty;
+	};
+
+	ext:       case e_flag of {
+		true  -> ext_hdrs: GTPv1_Ext_Header[] &until($element.next_type == 0);
+		false -> no_ext:   empty;
+	};
+
+	msg:       case msg_type of {
+		16      -> create_pdp_ctx_request:  InformationElement[];
+		17      -> create_pdp_ctx_response: InformationElement[];
+		18      -> update_pdp_ctx_request:  InformationElement[];
+		19      -> update_pdp_ctx_response: InformationElement[];
+		20      -> delete_pdp_ctx_request:  InformationElement[];
+		21      -> delete_pdp_ctx_response: InformationElement[];
+		255     -> packet:  bytestring &restofdata;
+		default -> unknown: bytestring &restofdata;
+	};
+
+} &let {
+	version:  uint8 = (flags & 0xE0) >> 5;
+	pt_flag:  bool  = flags & 0x10;
+	rsv:      bool  = flags & 0x08;
+	e_flag:   bool  = flags & 0x04;
+	s_flag:   bool  = flags & 0x02;
+	pn_flag:  bool  = flags & 0x01;
+	has_opt:  bool  = flags & 0x07;
+} &byteorder = bigendian, &exportsourcedata;
+
+type GTPv1_Opt_Header = record {
+	seq:       uint16;
+	n_pdu:     uint8;
+	next_type: uint8;
+};
+
+type GTPv1_Ext_Header = record {
+	length:    uint8;
+	contents:  bytestring &length=(length * 4 - 2);
+	next_type: uint8;
+};
+
+enum InfoElementType {
+	TYPE_CAUSE                       = 1,
+	TYPE_IMSI                        = 2,
+	TYPE_RAI                         = 3,
+	TYPE_TLLI                        = 4,
+	TYPE_P_TMSI                      = 5,
+	TYPE_REORDER_REQ                 = 8,
+	TYPE_AUTHN_TRIPLET               = 9,
+	TYPE_MAP_CAUSE                   = 11,
+	TYPE_P_TMSI_SIG                  = 12,
+	TYPE_MS_VALID                    = 13,
+	TYPE_RECOVERY                    = 14,
+	TYPE_SELECTION_MODE              = 15,
+	TYPE_TEID1                       = 16,
+	TYPE_TEID_CONTROL_PLANE          = 17,
+	TYPE_TEID2                       = 18,
+	TYPE_TEARDOWN_IND                = 19,
+	TYPE_NSAPI                       = 20,
+	TYPE_RANAP_CAUSE                 = 21,
+	TYPE_RAB_CTX                     = 22,
+	TYPE_RADIO_PRIORITY_SMS          = 23,
+	TYPE_RADIO_PRIORITY              = 24,
+	TYPE_PACKET_FLOW_ID              = 25,
+	TYPE_CHARGING_CHARACTERISTICS    = 26,
+	TYPE_TRACE_REFERENCE             = 27,
+	TYPE_TRACE_TYPE                  = 28,
+	TYPE_MS_NOT_REACHABLE_REASON     = 29,
+	TYPE_CHARGING_ID                 = 127,
+	TYPE_END_USER_ADDR               = 128,
+	TYPE_MM_CTX                      = 129,
+	TYPE_PDP_CTX                     = 130,
+	TYPE_ACCESS_POINT_NAME           = 131,
+	TYPE_PROTO_CONFIG_OPTIONS        = 132,
+	TYPE_GSN_ADDR                    = 133,
+	TYPE_MSISDN                      = 134,
+	TYPE_QOS_PROFILE                 = 135,
+	TYPE_AUTHN_QUINTUPLET            = 136,
+	TYPE_TRAFFIC_FLOW_TEMPLATE       = 137,
+	TYPE_TARGET_ID                   = 138,
+	TYPE_UTRAN_TRANSPARENT_CONTAINER = 139,
+	TYPE_RAB_SETUP_INFO              = 140,
+	TYPE_EXT_HEADER_TYPE_LIST        = 141,
+	TYPE_TRIGGER_ID                  = 142,
+	TYPE_OMC_ID                      = 143,
+	TYPE_CHARGING_GATEWAY_ADDR       = 251,
+	TYPE_PRIVATE_EXT                 = 255,
+};
+
+type InformationElement = record {
+	type: uint8;
+
+	len: case is_tlv of {
+		true  -> tlv_len: uint16;
+		false -> no_len:  empty;
+	};
+
+	value: case type of {
+		TYPE_CAUSE -> cause: Cause;
+		TYPE_IMSI -> imsi: IMSI;
+		TYPE_RAI -> rai: RAI;
+		TYPE_TLLI -> tlli: TLLI;
+		TYPE_P_TMSI -> p_tmsi: P_TMSI;
+		TYPE_REORDER_REQ -> reorder_req: ReorderReq;
+		TYPE_AUTHN_TRIPLET -> authn_triplet: AuthN_Triplet;
+		TYPE_MAP_CAUSE -> map_cause: MAP_Cause;
+		TYPE_P_TMSI_SIG -> p_tmsi_sig: P_TMSI_Sig;
+		TYPE_MS_VALID -> ms_valid: MS_Valid;
+		TYPE_RECOVERY -> recovery: Recovery;
+		TYPE_SELECTION_MODE -> selection_mode: SelectionMode;
+		TYPE_TEID1 -> teid1: TEID1;
+		TYPE_TEID_CONTROL_PLANE -> teidcp: TEID_ControlPlane;
+		TYPE_TEID2 -> teid2: TEID2;
+		TYPE_TEARDOWN_IND -> teardown_ind: TeardownInd;
+		TYPE_NSAPI -> nsapi: NSAPI;
+		TYPE_RANAP_CAUSE -> ranap_cause: RANAP_Cause;
+		TYPE_RAB_CTX -> rab_ctx: RAB_Ctx;
+		TYPE_RADIO_PRIORITY_SMS -> radio_priority_sms: RadioPrioritySMS;
+		TYPE_RADIO_PRIORITY -> radio_priority: RadioPriority;
+		TYPE_PACKET_FLOW_ID -> packet_flow_id: PacketFlowID;
+		TYPE_CHARGING_CHARACTERISTICS -> charging_characteristics: ChargingCharacteristics;
+		TYPE_TRACE_REFERENCE -> trace_reference: TraceReference;
+		TYPE_TRACE_TYPE -> trace_type: TraceType;
+		TYPE_MS_NOT_REACHABLE_REASON -> ms_not_reachable_reason: MS_Not_Reachable_Reason;
+		TYPE_CHARGING_ID -> charging_id: ChargingID;
+		TYPE_END_USER_ADDR -> end_user_addr: EndUserAddr(length);
+		TYPE_MM_CTX -> mm_ctx: MM_Ctx(length);
+		TYPE_PDP_CTX -> pdp_ctx: PDP_Ctx(length);
+		TYPE_ACCESS_POINT_NAME -> ap_name: AP_Name(length);
+		TYPE_PROTO_CONFIG_OPTIONS -> proto_config_opts: ProtoConfigOpts(length);
+		TYPE_GSN_ADDR -> gsn_addr: GSN_Addr(length);
+		TYPE_MSISDN -> msisdn: MSISDN(length);
+		TYPE_QOS_PROFILE -> qos_profile: QoS_Profile(length);
+		TYPE_AUTHN_QUINTUPLET -> authn_quintuplet: AuthN_Quintuplet(length);
+		TYPE_TRAFFIC_FLOW_TEMPLATE -> traffic_flow_template: TrafficFlowTemplate(length);
+		TYPE_TARGET_ID -> target_id: TargetID(length);
+		TYPE_UTRAN_TRANSPARENT_CONTAINER -> utran_transparent_container: UTRAN_TransparentContainer(length);
+		TYPE_RAB_SETUP_INFO -> rab_setup_info: RAB_SetupInfo(length);
+		TYPE_EXT_HEADER_TYPE_LIST -> ext_hdr_type_list: ExtHdrTypeList(length);
+		TYPE_TRIGGER_ID -> trigger_id: TriggerID(length);
+		TYPE_OMC_ID -> omc_id: OMC_ID(length);
+		TYPE_CHARGING_GATEWAY_ADDR -> charging_gateway_addr: ChargingGatewayAddr(length);
+		TYPE_PRIVATE_EXT -> private_ext: PrivateExt(length);
+		default -> unknown: bytestring &length=length;
+	} &requires(length);
+
+} &let {
+	is_tlv: bool = (type & 0x80);
+	length: uint16 = is_tlv ? tlv_len : Get_IE_Len(type);
+};
+
+type Cause = record {
+	value: uint8;
+};
+
+function decode_imsi(v: uint8[8]): uint64
+	%{
+	uint64 rval = 0;
+	uint8 digits[16];
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		digits[2 * i + 1] = ((*v)[i] & 0xf0) >> 4;
+		digits[2 * i] = (*v)[i] & 0x0f;
+		}
+	int power = 0;
+	for ( int i = 15; i >= 0; --i )
+		{
+		if ( digits[i] == 0x0f ) continue;
+		rval += digits[i] * pow(10, power);
+		++power;
+		}
+	return rval;
+	%}
+
+type IMSI = record {
+	tbcd_encoded_value: uint8[8];
+} &let {
+	value: uint64 = decode_imsi(tbcd_encoded_value);
+};
+
+type RAI = record {
+	mcc2_mcc1: uint8;
+	mnc3_mcc3: uint8;
+	mnc2_mnc1: uint8;
+	lac: uint16;
+	rac: uint8;
+} &let {
+	mcc1: uint8 = (mcc2_mcc1 & 0x0f);
+	mcc2: uint8 = ((mcc2_mcc1 & 0xf0)>>4);
+	mcc3: uint8 = (mnc3_mcc3 & 0x0f);
+	mcc: uint16 = mcc1 * 100 + mcc2 * 10 + mcc3;
+	mnc1: uint8 = (mnc2_mnc1 & 0x0f);
+	mnc2: uint8 = ((mnc2_mnc1 & 0xf0)>>4);
+	mnc3: uint8 = (mnc3_mcc3 & 0xf0)>>4;
+	mnc: uint16 = (mnc3 & 0x0f) ? mnc1 * 10 + mnc2 : mnc1 * 100 + mnc2 * 10 + mnc3;
+};
+
+type TLLI = record {
+	value: uint32;
+};
+
+type P_TMSI = record {
+	value: uint32;
+};
+
+type ReorderReq = record {
+	value: uint8;
+} &let {
+	req: bool = value & 0x01;
+};
+
+type AuthN_Triplet = record {
+	rand: bytestring &length=16;
+	sres: uint32;
+	kc: uint64;
+};
+
+type MAP_Cause = record {
+	value: uint8;
+};
+
+type P_TMSI_Sig = record {
+	value: bytestring &length=3;
+};
+
+type MS_Valid = record {
+	value: uint8;
+};
+
+type Recovery = record {
+	restart_counter: uint8;
+};
+
+type SelectionMode = record {
+	value: uint8;
+} &let {
+	mode: uint8 = value & 0x01;
+};
+
+type TEID1 = record {
+	value: uint32;
+};
+
+type TEID_ControlPlane = record {
+	value: uint32;
+};
+
+type TEID2 = record {
+	spare_nsapi: uint8;
+	teid2: uint32;
+};
+
+type TeardownInd = record {
+	value: uint8;
+} &let {
+	ind: bool = value & 0x01;
+};
+
+type NSAPI = record {
+	xxxx_nsapi: uint8;
+} &let {
+	nsapi: uint8 = xxxx_nsapi & 0x0f;
+};
+
+type RANAP_Cause = record {
+	value: uint8;
+};
+
+type RAB_Ctx = record {
+	spare_nsapi: uint8;
+	dl_gtpu_seq_num: uint16;
+	ul_gtpu_seq_num: uint16;
+	dl_pdcp_seq_num: uint16;
+	ul_pdcp_seq_num: uint16;
+};
+
+type RadioPrioritySMS = record {
+	value: uint8;
+};
+
+type RadioPriority = record {
+	nsapi_radio_priority: uint8;
+};
+
+type PacketFlowID = record {
+	rsv_nsapi: uint8;
+	packet_flow_id: uint8;
+};
+
+type ChargingCharacteristics = record {
+	value: uint16;
+};
+
+type TraceReference = record {
+	value: uint16;
+};
+
+type TraceType = record {
+	value: uint16;
+};
+
+type MS_Not_Reachable_Reason = record {
+	value: uint8;
+};
+
+type ChargingID = record {
+	value: uint32;
+};
+
+type EndUserAddr(n: uint16) = record {
+	spare_pdp_type_org: uint8;
+	pdp_type_num: uint8;
+	pdp_addr: bytestring &length=(n-2);
+} &let {
+	pdp_type_org: uint8 = spare_pdp_type_org & 0x0f;
+};
+
+type MM_Ctx(n: uint16) = record {
+	spare_cksn_ksi: uint8;
+	security_params: uint8;
+
+	keys: case gsm_keys of {
+		true  -> kc: uint64;
+		false -> ck_ik: bytestring &length=32;
+	};
+
+	vector_len: case have_triplets of {
+		true  -> no_quint_len: empty;
+		false -> quint_len: uint16;
+	};
+
+	vectors: case have_triplets of {
+		true  -> triplets: AuthN_Triplet[num_vectors];
+		false -> quintuplets: AuthN_Quintuplet(quint_len)[num_vectors];
+	} &requires(num_vectors);
+
+	drx_param: uint16;
+	ms_net_capability_len: uint8;
+	ms_net_capability: bytestring &length=ms_net_capability_len;
+	container_len: uint16;
+	container: bytestring &length=container_len;
+
+} &let {
+	security_mode: uint8 = security_params >> 6;
+	gsm_keys: bool = security_mode & 0x01;
+	have_triplets: bool = (security_mode == 1);
+	num_vectors: uint8 = (security_params & 0x38) >> 3;
+};
+
+type PDP_Ctx(n: uint16) = record {
+	rsv_nsapi:	uint8;
+	xxxx_sapi: uint8;
+	qos_sub_len: uint8;
+	qos_sub: QoS_Profile(qos_sub_len);
+	qos_req_len: uint8;
+	qos_req: QoS_Profile(qos_req_len);
+	qos_neg_len: uint8;
+	qos_neg: QoS_Profile(qos_neg_len);
+	snd: uint16;
+	snu: uint16;
+	send_npdu_num: uint8;
+	recv_npdu_num: uint8;
+	ul_teid_cp: TEID_ControlPlane;
+	ul_teid_data1: TEID1;
+	pdp_ctx_id: uint8;
+	spare_pdp_type_org: uint8;
+	pdp_type_num: uint8;
+	pdp_addr_len: uint8;
+	pdp_addr: bytestring &length=pdp_addr_len;
+	ggsn_addr_control_plane_len: uint8;
+	ggsn_addr_control_plane: bytestring &length=ggsn_addr_control_plane_len;
+	ggsn_addr_user_traffic_len: uint8;
+	ggsn_addr_user_traffic: bytestring &length=ggsn_addr_user_traffic_len;
+	apn_len: uint8;
+	apn: AP_Name(apn_len);
+	spare_transaction_id: uint8;
+	transaction_id: uint8;
+};
+
+type AP_Name(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type ProtoConfigOpts(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type GSN_Addr(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type MSISDN(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type QoS_Profile(n: uint16) = record {
+	alloc_retention_priority: uint8;
+	data: bytestring &length=n-1;
+};
+
+type AuthN_Quintuplet(n: uint16) = record {
+	rand: bytestring &length=16;
+	xres_len: uint8;
+	xres: bytestring &length=xres_len;
+	ck: bytestring &length=16;
+	ik: bytestring &length=16;
+	autn_len: uint8;
+	autn: bytestring &length=autn_len;
+};
+
+type TrafficFlowTemplate(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type TargetID(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type UTRAN_TransparentContainer(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type RAB_SetupInfo(n: uint16) = record {
+	xxxx_nsapi: uint8;
+
+	have_teid: case n of {
+		1 -> no_teid: empty;
+		default -> teid: TEID1;
+	};
+
+	have_addr: case n of {
+		1 -> no_addr: empty;
+		default -> rnc_addr: bytestring &length=n-5;
+	};
+};
+
+type ExtHdrTypeList(n: uint16) = record {
+	value: uint8[n];
+};
+
+type TriggerID(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type OMC_ID(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type ChargingGatewayAddr(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type PrivateExt(n: uint16) = record {
+	id: uint16;
+	value: bytestring &length=n-2;
+};
+
+function Get_IE_Len(t: uint8): uint16 =
+	case t of {
+	TYPE_CAUSE -> 1;
+	TYPE_IMSI -> 8;
+	TYPE_RAI -> 6;
+	TYPE_TLLI -> 4;
+	TYPE_P_TMSI -> 4;
+	TYPE_REORDER_REQ -> 1;
+	TYPE_AUTHN_TRIPLET -> 28;
+	TYPE_MAP_CAUSE -> 1;
+	TYPE_P_TMSI_SIG -> 3;
+	TYPE_MS_VALID -> 1;
+	TYPE_RECOVERY -> 1;
+	TYPE_SELECTION_MODE -> 1;
+	TYPE_TEID1 -> 4;
+	TYPE_TEID_CONTROL_PLANE -> 4;
+	TYPE_TEID2 -> 5;
+	TYPE_TEARDOWN_IND -> 1;
+	TYPE_NSAPI -> 1;
+	TYPE_RANAP_CAUSE -> 1;
+	TYPE_RAB_CTX -> 9;
+	TYPE_RADIO_PRIORITY_SMS -> 1;
+	TYPE_RADIO_PRIORITY -> 1;
+	TYPE_PACKET_FLOW_ID -> 2;
+	TYPE_CHARGING_CHARACTERISTICS -> 2;
+	TYPE_TRACE_REFERENCE -> 2;
+	TYPE_TRACE_TYPE -> 2;
+	TYPE_MS_NOT_REACHABLE_REASON -> 1;
+	TYPE_CHARGING_ID -> 4;
+	};

src/packet_analysis/protocol/gtpv1/gtpv1.pac

@@ -0,0 +1,18 @@
+%include binpac.pac
+%include zeek.pac
+
+%extern{
+#include "zeek/IP.h"
+#include "zeek/TunnelEncapsulation.h"
+#include "zeek/Reporter.h"
+
+#include "zeek/packet_analysis/protocol/gtpv1/events.bif.h"
+%}
+
+analyzer GTPv1 withcontext {
+	connection:	GTPv1_Conn;
+	flow:		GTPv1_Flow;
+};
+
+%include gtpv1-protocol.pac
+%include gtpv1-analyzer.pac