From 32afbae9db4f2a85323104783507da2c5b38f227 Mon Sep 17 00:00:00 2001
From: Eldon Koyle <eldon.koyle@corelight.com>
Date: Thu, 16 Feb 2023 19:39:27 -0700
Subject: [PATCH] Use a default analyzer

Use a default analyzer instead of hardcoding a protocol number.
---
 scripts/base/packet-protocols/pbb/main.zeek | 8 ++++----
 src/packet_analysis/protocol/pbb/PBB.cc     | 6 ++----
 testing/btest/Baseline/plugins.hooks/output | 3 ---
 3 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/scripts/base/packet-protocols/pbb/main.zeek b/scripts/base/packet-protocols/pbb/main.zeek
index 4377b3c595..1c4c925dd2 100644
--- a/scripts/base/packet-protocols/pbb/main.zeek
+++ b/scripts/base/packet-protocols/pbb/main.zeek
@@ -1,6 +1,6 @@
 module PacketAnalyzer::PBB;
 
-event zeek_init() &priority=20
-	{
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PBB, 0x6558, PacketAnalyzer::ANALYZER_ETHERNET);
-	}
+export {
+	## Default analyzer
+	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_ETHERNET &redef;
+}
diff --git a/src/packet_analysis/protocol/pbb/PBB.cc b/src/packet_analysis/protocol/pbb/PBB.cc
index dc9b4684b8..e13141dcf3 100644
--- a/src/packet_analysis/protocol/pbb/PBB.cc
+++ b/src/packet_analysis/protocol/pbb/PBB.cc
@@ -7,8 +7,6 @@ using namespace zeek::packet_analysis::PBB;
 constexpr int PBB_LEN = 18;
 constexpr int PBB_C_DST_OFF = 4;
 
-constexpr int PROTO_TEB = 0x6558;
-
 PBBAnalyzer::PBBAnalyzer() : zeek::packet_analysis::Analyzer("PBB") { }
 
 bool PBBAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
@@ -19,6 +17,6 @@ bool PBBAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
-	// this looks an awful lot like ethernet from here on out
-	return ForwardPacket(len - PBB_C_DST_OFF, data + PBB_C_DST_OFF, packet, PROTO_TEB);
+	// pass this on to the ethernet analyzer
+	return ForwardPacket(len - PBB_C_DST_OFF, data + PBB_C_DST_OFF, packet);
 	}
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 6a65bfe627..9ec9d98fe8 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -673,7 +673,6 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PBB, 25944, PacketAnalyzer::ANALYZER_ETHERNET)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 33, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 87, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 33, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -2243,7 +2242,6 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PBB, 25944, PacketAnalyzer::ANALYZER_ETHERNET))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 33, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 87, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 33, PacketAnalyzer::ANALYZER_IP))
@@ -3812,7 +3810,6 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PBB, 25944, PacketAnalyzer::ANALYZER_ETHERNET)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPOE, 33, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPOE, 87, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 33, PacketAnalyzer::ANALYZER_IP)