Move ARP analysis into packet analyzer.

2025-10-04 07:38:19 +00:00 · 2020-08-28 16:27:53 +02:00 · 2020-08-28 16:27:53 +02:00 · 24babf096e
commit 24babf096e
parent 0ec7516602
17 changed files with 238 additions and 368 deletions
--- a/src/packet_analysis/protocol/arp/ARP.h
+++ b/src/packet_analysis/protocol/arp/ARP.h
@ -5,6 +5,12 @@
 #include <packet_analysis/Analyzer.h>
 #include <packet_analysis/Component.h>

+#include <net/if_arp.h>
+
+#ifndef arp_pkthdr
+#define arp_pkthdr arphdr
+#endif
+
 namespace zeek::packet_analysis::ARP {

 class ARPAnalyzer : public Analyzer {
@ -18,6 +24,15 @@ public:
 		{
 		return std::make_shared<ARPAnalyzer>();
 		}
+
+private:
+	zeek::AddrValPtr ToAddrVal(const void* addr);
+	zeek::StringValPtr ToEthAddrStr(const u_char* addr);
+
+	void BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...)
+			__attribute__((format(printf, 3, 4)));
+	void RequestReplyEvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
+			const char* spa, const char* sha, const char* tpa, const char* tha);
 };

 }