From 3710ff936fb9b4acdc121dd7dabb25170db56872 Mon Sep 17 00:00:00 2001
From: Damani Wade <damani.wade@corelight.com>
Date: Mon, 2 Jul 2018 09:18:37 -0400
Subject: [PATCH] Add Cisco FabricPath support

---
 src/iosource/Packet.cc                        |  14 ++++++
 .../Baseline/core.cisco-fabric-path/conn.log  |  41 ++++++++++++++++++
 testing/btest/Traces/cisco-fabric-path.pcap   | Bin 0 -> 10816 bytes
 testing/btest/core/cisco-fabric-path.bro      |   2 +
 4 files changed, 57 insertions(+)
 create mode 100644 testing/btest/Baseline/core.cisco-fabric-path/conn.log
 create mode 100644 testing/btest/Traces/cisco-fabric-path.pcap
 create mode 100644 testing/btest/core/cisco-fabric-path.bro

diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 5199765f51..3aa0e28b92 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -140,6 +140,20 @@ void Packet::ProcessLayer2()
 
 	case DLT_EN10MB:
 		{
+		// Skip past Cisco FabricPath to encapsulated ethernet frame.
+		if ( pdata[12] == 0x89 && pdata[13] == 0x03 )
+			{
+			auto constexpr cfplen = 16;
+
+			if ( pdata + cfplen + GetLinkHeaderSize(link_type) >= end_of_data )
+				{
+				Weird("truncated_link_header_cfp");
+				return;
+				}
+
+			pdata += cfplen;
+			}
+
 		// Get protocol being carried from the ethernet frame.
 		int protocol = (pdata[12] << 8) + pdata[13];
 
diff --git a/testing/btest/Baseline/core.cisco-fabric-path/conn.log b/testing/btest/Baseline/core.cisco-fabric-path/conn.log
new file mode 100644
index 0000000000..eae407aceb
--- /dev/null
+++ b/testing/btest/Baseline/core.cisco-fabric-path/conn.log
@@ -0,0 +1,41 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2018-07-09-14-17-29
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1529347003.860008	C7fIlMZDuRiqjpYbb	1.1.1.6	57005	2.2.2.2	48879	tcp	-	0.001018	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.861732	CykQaM33ztNt0csB9a	1.1.1.4	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.863372	CtxTCR2Yer0FR1tIBg	1.1.1.14	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.865002	CpmdRlaUoJLN3uIRa	1.1.1.12	57005	2.2.2.2	48879	tcp	-	0.000926	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.866648	C1Xkzz2MaGtLrc1Tla	1.1.1.0	57005	2.2.2.2	48879	tcp	-	0.001042	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.868394	CqlVyW1YwZ15RhTBc4	1.1.1.2	57005	2.2.2.2	48879	tcp	-	0.000920	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.870014	CLNN1k2QMum1aexUK7	1.1.1.8	57005	2.2.2.2	48879	tcp	-	0.000930	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.871649	CBA8792iHmnhPLksKa	1.1.1.10	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.873385	CGLPPc35OzDQij1XX8	1234::e	57005	5678::	48879	tcp	-	0.001139	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.875322	CiyBAq1bBLNaTiTAc	1234::c	57005	5678::	48879	tcp	-	0.001027	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.877182	CFSwNi4CNGxcuffo49	1234::6	57005	5678::	48879	tcp	-	0.001055	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.879034	Cipfzj1BEnhejw8cGf	1234::4	57005	5678::	48879	tcp	-	0.001018	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.881330	CV5WJ42jPYbNW9JNWf	1234::8	57005	5678::	48879	tcp	-	0.001029	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.883152	CPhDKt12KQPUVbQz06	1234::a	57005	5678::	48879	tcp	-	0.001005	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.884945	CAnFrb2Cvxr5T7quOc	1234::	57005	5678::	48879	tcp	-	0.001005	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.886751	C8rquZ3DjgNW06JGLl	1234::2	57005	5678::	48879	tcp	-	0.001120	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.851951	CFLRIC3zaTU1loLGxh	1234::4	57005	5678::	48879	udp	-	0.000905	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.855232	Ck51lg1bScffFj34Ri	1234::a	57005	5678::	48879	udp	-	0.000894	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.839636	CtPZjS20MLrsMUOJi2	1.1.1.12	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.858393	CNnMIj2QSd84NKf7U3	1234::2	57005	5678::	48879	udp	-	0.000902	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.842649	CmES5u32sYpV7JYN	1.1.1.2	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.850367	C0LAHyvtKSQHyJxIl	1234::6	57005	5678::	48879	udp	-	0.000898	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.848776	CwjjYJ2WqgTbAqiHl6	1234::c	57005	5678::	48879	udp	-	0.000902	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.856801	C9mvWx3ezztgzcexV7	1234::	57005	5678::	48879	udp	-	0.000898	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.841103	CUM0KZ3MLUfNB0cl11	1.1.1.0	57005	2.2.2.2	48879	udp	-	0.000926	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.845524	C37jN32gN3y3AZzyf6	1.1.1.10	57005	2.2.2.2	48879	udp	-	0.000843	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.847079	C3eiCBGOLw3VtHfOj	1234::e	57005	5678::	48879	udp	-	0.001014	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.853544	C9rXSW3KSpTYvPrlI1	1234::8	57005	5678::	48879	udp	-	0.001010	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.836659	ClEkJM2Vm5giqnMf4h	1.1.1.4	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.838130	C4J4Th3PJpwUYZZ6gc	1.1.1.14	57005	2.2.2.2	48879	udp	-	0.000880	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.844086	CP5puj4I8PtEU4qzYg	1.1.1.8	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.834704	CHhAvVGS1DHFjwGM9	1.1.1.6	57005	2.2.2.2	48879	udp	-	0.001243	0	0	S0	-	-	0	D	2	56	0	0	-
+#close	2018-07-09-14-17-29
diff --git a/testing/btest/Traces/cisco-fabric-path.pcap b/testing/btest/Traces/cisco-fabric-path.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f238a0600da0afbc78ddd92e65a588a2b72fa202
GIT binary patch
literal 10816
zcmb{13sg<{9>DQ^-btkpN-A%;>5@dIIE5IGp14U!NfAmKmC%D!B%zUzR|YAKlA#b$
zLi8A<ZVDlJET<SGLwEoFJ$`4K_I1w6S?jEj_5FW-r`r2h-MyNAh)eOQ)<;tlMRDlA
zoc}y{Zp;NG%9Q>yJY9EspUtN<QyQy}|D`}pq9`r+Z(=pyYa9+o$fX}uC$lA#f|GG;
z3Ex7?GY4DmY)h?Ns9jc<tnB(k@><$TvbCW#G8bFg2Ck!gIX2eMJ^!7?a9yWed@0u$
z^tAp7TA}&aI{Rt2YCWg0w&+8mCAdhtOtv<(-rm5L_UN+B&fKmy&&}L+oZ-r*T`E#8
zgH{c`g_g^0Y<X_ATam!^uDx&l`vu~Hwx(=tXx%Ns*1qclL#%nT98I=_YcpJzX_u0e
zYdCsZ{{*f6cd+&7OSt4IZ{NtjtE}9>McT=-wV}1`9=3+8ol&r#Kb?DKby-)2>lW>z
zq+IaH_{{@a!^*LhySLiwIX`)Ch1ZI1;3DnOvbCWVUxBR|afQQj1cl`r-uLLoaNVR`
zz-s-xANvi8{wuWZS7B?HlZCyGAbVKaZ=L6Wi?rv<)`phxV{8plvtPGY=pxQ=DeT2?
z<<c$%DVI_EF5jovI_V_&tx9-C>9^@WdxDF!hsxFl*WDUyy}lSWGgIXF@tS_)b%yH-
z?NXF-8Mg1zd5JBj8HcT1Mb@i32aQMr7ilZV)&|$}*Gkkl`WSdVf8yeOirR6o%b0Yt
zO_k1YxPqFvEA!P+ne7knz(?~n?b9ZxRn{p{R`k2zxw$SQau$`DvtUp{FOZS?ypGf(
z-k~+rK!1rTXK74H`rEs#RwWi|1Xxu*qIKj?Zx1Zw_!%i?CVGLD)KfZAzw`;ML;r{p
z58z&&uwZ-VUaVFji!~ao=3me{c30nGAMP4;<;rpMz)I?c9jQy2(5icQU%%D7Uy6Ro
z=o-js<+E60!0OLaZu=Zikz7{};u+nW7TLHTtfU^+k@^s!a@*%?r)TF^p5d=*I{P27
zJ*!oL#To@xO+~ccj$hg>lizEVMa1i)U?uhVj?^zJq4m}ZU1LW<aYK_!#Y|SKB8zo1
zSjVZN^?5IA_Y%RIs>tpRx?m;sP93Q~?uyp(eH-u93w`s)s8;k~wNfnBSg^YGK&$uK
z9mUnc%w(;}DaXJ{>bE;m*U&)gUs|WLr-<y+ixWSyU$eL@)*WCypoP|PPrGRHM8hL5
zCC!)uR#NxrNZmt6xotm;-(9pSk_wISzBKt5x$X}k`=QV`kG}5Xe%Nwpwc+YguiNgJ
zAa&`lOj*+Jg{S(9FZ)6$3+sZ=l%*gg?N{=)p*mm?3cZ89#XUKGuN~92zh?;ZX(4Wk
z(!#b~16sLyD4aYcBsZE9S?o3CObG}{J6_&4RHO7!IDCAO_jzu>{tLIg^clj7v=Dbj
zX<^%46k7VjQE1#}kz**=d-ny0!OuZR+ClQRq59Ggg@awSkFMrzPc}b0cP2x4i5BAa
zC@pNe!$K><7==4i(^5-$VV2VsD|Ug9v^UDzhN^=J3SYdn+?vdf)`)GGJ)R*fpoO?c
zN(;p;e<AzYQZp19MtoAY<L{E#^_Z*-Lefr>w++IfVifX^xHaktG%9q?HH={hZ_q+m
zkeWA2X(22y<N>WK6HxdtOtog7ps$-(nP(jcNn0du8>;IqQP_!lU?ER9wa4`tCCxi;
z>(}yCT8O)4i-~+Kw|#d7E#0Xoypg4m{7QH)vfkuF83;++L*6!2A5TZ2(J~vYXwgN5
zM^OWNGG4<RT8LYww6N{_QfP(PppdU|CBs9Mr5Af=t`P`HJ5$~^RFmwLsj2jt@XWN(
z^_oSUI+bOgH=*S|(_JXrzA2@S+|vAAgqDLc<w*ZKJnvsi@pY$iJ%k$$%>^$x>F|#_
zY3y8_VR80=#Q~hX%eQU0R?a#@`+KPL3|pILFk65#r1Vu#ROGmgl&p&%1T&D6GJn)b
z>s@e$*!SJej^TP33wKwAu+Gr_ekwh~&gK~s7UK-Z>xz?k+#5E|C$4>k8OTW!e$+`>
zOK^twR=rajcp-tEqi;`VouU1`ReFYBn`g*ajx$UddZ^Zi*MEG>l;Slo1378tk2)#c
z2WR**_4=J&{1}a8PW`M{XJ~()m7ZaH^9*NK;|xmG23iUHJ5?hdE;57}$Vu@(>ZIZT
zoWUn>SJ_d4Z6|RWubOp+_V--r8MZagaB&^ZuxT2lrXr9$(g-;~elkE#()v*+l?3Aq
z!FAm(ofYa-j-2}?l68jm_h0E5;+tp4-iR~YRCpD<R=9Tisk~Bm_&AW0YJb#855sYW
zi125HW+DTh_j~6$u+Gr_UMxLBT=NX$qi_bL@m&(qL{!L;sPuZ6ft(cnqfWXSjd!qP
z$vqC3P<QKfkMgdPJD4unmpA%a(|0h&zHGHHdrb?w<qh0xw07Y42~jKa)4ot9C)dqa
z&IL7T=g8WIT6`?Z99OR4uH&eu@3E(H7&2R0#@LhFmvMHZ?B%(Xe_3-pvJ3B@hyxjE
zKasT!vfw=^6ZKt_q0X&(QW-}1F=Ufz8Dl?gUsjrcvfd}dB8s>l9**REtO6NnYs=aO
zncYE@RsLx-M3?7ichg|^GluMETE^Im+n1>yk&<Z^{H?_En-pm5My|=Ey+hVE$P$mD
z>~r5FqgehV7n{;i2N|+iw2ZM2w=Zi<LfQJve^*8DH|2dyizh!tAZ=e++aU8#L0ORL
zHi^67%*13T+Z7C%JuPGG!R^Zme@EG;46$&mKu_PdadQ%UG)cQa);7qdq@yfjhp5p^
z7;HK3;<=>^*$i67*niuXP51+4lXY@Kf`qTLl59;CK}Oo4vbI51lZi5prjOe&(enw0
z<K};6$fnUU#@^e$Y{n&&t>4r?Xrbu*f`gX1)*vJ8U|HKB+kZuwvY@X?@La0%w6v0X
zyRE<Z!n&4gveHJG_g&CJ(KKI~vZHJ8T-@2^cm$<*a!-;rxpt5fBpp3r{Y^B7IoEh@
z-~^hx?h316HM8!wt>&}0(L7H@Au*5>taCM?q#RyTazgixo={hW=F|a`Is3UT*VJ;N
zzOb5E_t{o6=MI|JjTrdm7T3S`i9hwoeVd#R(a{sk@1a@srJ}AoZ_Eja{k}e|X4d_+
z)qJiD&G8`%UKH@`xu=5S?!)U$PPp9B6W;z8%?_0f6XW<#dOmru{VS`Pbzf~Y^QzFi
z-2aOA0)F(Z@M$&k!AwqA-O&@w9-%q0x^HiZV3gjrxKAfo&8+)rtJ(eunoZ+uvJMJr
z1DyTxwZKeHnAy=2wmw7iHD{;DheG>3owdD<Sk0{aXsh{fEt-#YuQd!1RvK(N^0^4i
z<OG9`o>2Z0&4~t^1zDneC#$^K{;X!!{j=3<^9IdphIp?q6z$3w^|74%hL@bMzN07D
z)#06EOX$9!8Y+3s$@QfH<j&EZ?3=E>KJ=YK6>himC70y^SLTWDuqByj$+Mv5jE_HZ
zK?Po6(jF&U8(J3cu@(PIZ%ZAH@R8|ZJ#~gFgm#fNfCWYWGqeUaU@Nt2pAm%|$2lv0
z&3gkb(k_s#4K3Y9Y<VR(&YsA<ULDgfyoTX2q**rKf4v(2##Z+Xv2QF_tK8j_vkY9M
zEs?Dau7<DJ(&+hMUMSCdjhU}@Cx*+McA0<QRl-qe`<Z=mg^u7S-kdQdCj<PzMcVPQ
zwZZk6hb{M_l0&xqd3((#ZQjmsh0-pvXa4_>;}8+He9qN3T;`iO`NvMm0~cvm$<_wf
z;7-`GsmrY_7cAOR6KKDg;aW+%)V}|Eag?w%&?V==T7l%N>O$)raFKSlY;ABgDP!w#
z)}rO_h3Bq}c376da9PkU@%LT#Rk5|{g0sgG;fJL`cD@zhB5fzx+T`Qd6<hUwU+ss9
zOiolU(r{zAM$j(X@4L>cV=H>O!icG&7g6Hr2cLqAv^8aGgKJ|?Y?<!N`uRLHIA}t8
ztzXMEmva4fzqI-GcVW$+bI{V&RB8MDQsFFva0g1fD6!Y)_uwLJ19{s}ecBs^8$CH&
z#2n4rHEw^ovkJ}Gg|D?yI3cT!Z^N0MweWO60SHMuP~J8OQ*}{TV)l342JWiOR=lLq
ztU^_G;q3k>JbWYb^kMGMW4c$lD?v!w3*>Esu;)M&_Eg9TPT+~2&9_W;VHI-Ng{gy4
zSUPE9V>ez!L_oK<Y9J)-f%3LNxJ(a)e$M@m2>GW^dtQpkWEG0pg#vvP`p1bSOZa=1
zXL{}<_bbv~B5xanxx-LcKTbSxr{Kkam<=XntU_CM;k@A}{6p*GN;N^Hr1bf#S@0T?
z_9%JVARKOpLK~%qW3z;LeaC(|)cSkve||0hW9P%KWrI;D?DD25=b<p#mNV7E0)(Wk
zCvO{s5@Qs;b6pnaA+qC4R8!r;`WmXSzlPx^C>$LdX!=ZKV><Gn0r@_gwEM{02I0D~
yC_JF|Q-OI??3`HrtI6^7Ph;hIK+Dq<Tff&IDSg!RX3+2pArIg+B<&*E+W!NB&4lp)

literal 0
HcmV?d00001

diff --git a/testing/btest/core/cisco-fabric-path.bro b/testing/btest/core/cisco-fabric-path.bro
new file mode 100644
index 0000000000..ff7fa298e3
--- /dev/null
+++ b/testing/btest/core/cisco-fabric-path.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/cisco-fabric-path.pcap
+# @TEST-EXEC: btest-diff conn.log