Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

packet_analysis: Track data spans of packet analyzers

Browse source 
Do not just track the analyzer instance in the stack, but also the
data span it is given. This allows to extract more information on-demand
during event processing.

TrackAnalyzer() is technically a public API, but no one should use it
outside of the Analyzer's Forward methods itself.
This commit is contained in:
Arne Welzel 2025-02-14 17:25:39 -08:00
parent 0bc0104eb2
commit 2dc98acd1f
3 changed files with 33 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/packet_analysis/Manager.cc
View file

@ -232,7 +232,7 @@ zeek::VectorValPtr Manager::BuildAnalyzerHistory() const {
auto history = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
for ( unsigned int i = 0; i < analyzer_stack.size(); i++ ) {
auto analyzer_name = analyzer_stack[i]->GetAnalyzerName();
auto analyzer_name = analyzer_stack[i].analyzer->GetAnalyzerName();
history->Assign(i, make_intrusive<StringVal>(analyzer_name));
}
@ -249,3 +249,13 @@ void Manager::ReportUnknownProtocol(const std::string& analyzer, uint32_t protoc
}
}
}
std::vector<zeek::Span<const uint8_t>> Manager::GetAnalyzerData(const AnalyzerPtr& analyzer) {
std::vector<zeek::Span<const uint8_t>> result;
for ( const auto [sa, span] : analyzer_stack ) {
if ( sa == analyzer.get() )
result.push_back(span);
}
return result;
}