Add PBB (802.1ah) support

scripts/base/packet-protocols/__load__.zeek

@@ -15,6 +15,7 @@
 @load base/packet-protocols/pppoe
 @load base/packet-protocols/vlan
 @load base/packet-protocols/mpls
+@load base/packet-protocols/pbb
 @load base/packet-protocols/vntag
 @load base/packet-protocols/udp
 @load base/packet-protocols/tcp

scripts/base/packet-protocols/ethernet/main.zeek

@@ -12,6 +12,7 @@ export {
 event zeek_init() &priority=20
 	{
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88E7, PacketAnalyzer::ANALYZER_PBB);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0800, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x86DD, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0806, PacketAnalyzer::ANALYZER_ARP);
@@ -21,4 +22,4 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8926, PacketAnalyzer::ANALYZER_VNTAG);
-	}
+	}

scripts/base/packet-protocols/pbb/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/pbb/main.zeek

@@ -0,0 +1,11 @@
+module PacketAnalyzer::PBB;
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PBB, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PBB, 0x86DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PBB, 0x0806, PacketAnalyzer::ANALYZER_ARP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PBB, 0x8035, PacketAnalyzer::ANALYZER_ARP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PBB, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PBB, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
+	}

scripts/base/packet-protocols/vlan/main.zeek

@@ -3,6 +3,7 @@ module PacketAnalyzer::VLAN;
 event zeek_init() &priority=20
 	{
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x88E7, PacketAnalyzer::ANALYZER_PBB);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x0800, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x86DD, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x0806, PacketAnalyzer::ANALYZER_ARP);

src/packet_analysis/protocol/CMakeLists.txt

@@ -11,6 +11,7 @@ add_subdirectory(ieee802_11_radio)
 add_subdirectory(fddi)
 add_subdirectory(nflog)
 add_subdirectory(mpls)
+add_subdirectory(pbb)
 add_subdirectory(linux_sll)
 add_subdirectory(linux_sll2)
 

src/packet_analysis/protocol/pbb/CMakeLists.txt

@@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer PBB)
+zeek_plugin_cc(PBB.cc Plugin.cc)
+zeek_plugin_end()

src/packet_analysis/protocol/pbb/PBB.cc

@@ -0,0 +1,23 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/pbb/PBB.h"
+
+using namespace zeek::packet_analysis::PBB;
+
+PBBAnalyzer::PBBAnalyzer() : zeek::packet_analysis::Analyzer("PBB") { }
+
+bool PBBAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	const uint8_t pbb_header_len = 18;
+	const uint8_t etype_offset = pbb_header_len - 2;
+	if ( pbb_header_len >= len )
+		{
+		Weird("truncated_PBB_header", packet);
+		return false;
+		}
+
+	uint32_t protocol = ((data[etype_offset] << 8u) + data[etype_offset+1]);
+	packet->eth_type = protocol;
+	// Skip the PBB header
+	return ForwardPacket(len - pbb_header_len, data + pbb_header_len, packet, protocol);
+	}

src/packet_analysis/protocol/pbb/PBB.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::PBB
+	{
+
+class PBBAnalyzer : public Analyzer
+	{
+public:
+	PBBAnalyzer();
+	~PBBAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<PBBAnalyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/pbb/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/pbb/PBB.h"
+
+namespace zeek::plugin::Zeek_PBB
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"PBB", zeek::packet_analysis::PBB::PBBAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::PBB";
+		config.description = "PBB packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}