diff --git a/src/Sessions.cc b/src/Sessions.cc index 79014f2808..7dd33362a9 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -85,7 +85,6 @@ NetSessions::NetSessions() packet_filter = nullptr; - dump_this_packet = false; num_packets_processed = 0; static auto pkt_profile_file = id::find_val("pkt_profile_file"); @@ -132,10 +131,15 @@ void NetSessions::NextPacket(double t, const Packet* pkt) ++num_packets_processed; - dump_this_packet = false; - - if ( zeek::detail::record_all_packets ) + bool dumped_packet = false; + if ( pkt->dump_packet || zeek::detail::record_all_packets ) + { DumpPacket(pkt); + dumped_packet = true; + } + + if ( ! pkt->session_analysis ) + return; if ( pkt->hdr_size > pkt->cap_len ) { @@ -153,7 +157,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt) return; } - const struct ip* ip = (const struct ip*) (pkt->data + pkt->hdr_size); + auto ip = (const struct ip*) (pkt->data + pkt->hdr_size); IP_Hdr ip_hdr(ip, false); DoNextPacket(t, pkt, &ip_hdr, nullptr); } @@ -170,19 +174,14 @@ void NetSessions::NextPacket(double t, const Packet* pkt) DoNextPacket(t, pkt, &ip_hdr, nullptr); } - else if ( pkt->l3_proto == L3_ARP ) - { - // Do nothing here as ARP has moved into a packet analyzer - //TODO: Revisit the use of packet's l3_proto - } - else { Weird("unknown_packet_type", pkt); return; } - if ( dump_this_packet && ! zeek::detail::record_all_packets ) + // Check whether packet should be recorded based on session analysis + if ( pkt->dump_packet && ! dumped_packet ) DumpPacket(pkt); } @@ -283,7 +282,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr if ( ip_hdr->IsFragment() ) { - dump_this_packet = true; // always record fragments + pkt->dump_packet = true; // always record fragments if ( caplen < len ) { @@ -326,7 +325,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr // there, it's always the last. if ( ip_hdr->LastHeader() == IPPROTO_ESP ) { - dump_this_packet = true; + pkt->dump_packet = true; if ( esp_packet ) event_mgr.Enqueue(esp_packet, ip_hdr->ToPktHdrVal()); @@ -728,7 +727,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr else if ( record_packet ) { if ( record_content ) - dump_this_packet = true; // save the whole thing + pkt->dump_packet = true; // save the whole thing else { @@ -1322,7 +1321,7 @@ void NetSessions::Weird(const char* name, const Packet* pkt, const EncapsulationStack* encap, const char* addl) { if ( pkt ) - dump_this_packet = true; + pkt->dump_packet = true; if ( encap && encap->LastType() != BifEnum::Tunnel::NONE ) reporter->Weird(util::fmt("%s_in_tunnel", name), addl); diff --git a/src/Sessions.h b/src/Sessions.h index 8539fe4b0b..277e637ae7 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -239,7 +239,6 @@ protected: detail::PacketFilter* packet_filter; uint64_t num_packets_processed; detail::PacketProfiler* pkt_profiler; - bool dump_this_packet; // if true, current packet should be recorded }; namespace detail { diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 7b40c75e43..3d530fea3b 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -61,8 +61,8 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen, if ( data ) { - // From here we assume that layer 2 is valid. If a packet analyzer encounters - // an issue, it will call Packet::Weird(), which sets l2_valid to false. + // From here we assume that layer 2 is valid. If the packet analysis fails, + // the packet manager will invalidate the packet. l2_valid = true; packet_mgr->ProcessPacket(this); } @@ -76,7 +76,6 @@ const IP_Hdr Packet::IP() const void Packet::Weird(const char* name) { sessions->Weird(name, this); - l2_valid = false; } IntrusivePtr Packet::ToRawPktHdrVal() const @@ -99,6 +98,7 @@ IntrusivePtr Packet::ToRawPktHdrVal() const else if ( l3_proto == L3_ARP ) l3 = BifEnum::L3_ARP; + // TODO: Get rid of hardcoded l3 protocols. // l2_hdr layout: // encap: link_encap; ##< L2 link encapsulation // len: count; ##< Total frame length on wire @@ -169,32 +169,4 @@ ValPtr Packet::FmtEUI48(const u_char* mac) const return make_intrusive(buf); } -void Packet::Describe(ODesc* d) const - { - switch ( l3_proto ) - { - case L3_ARP: - d->Add("ARP"); - break; - case L3_IPV4: - d->Add("IPv4"); - break; - case L3_IPV6: - d->Add("IPv6"); - break; - default: - d->Add("Unknown L3 protocol"); - } - - // Add IP-specific information - if ( l3_proto == L3_IPV4 || l3_proto == L3_IPV6 ) - { - const IP_Hdr ip = IP(); - d->Add(": "); - d->Add(ip.SrcAddr()); - d->Add("->"); - d->Add(ip.DstAddr()); - } - } - } // namespace zeek diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index dfe5d86562..fe1968038f 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -125,6 +125,14 @@ public: return l2_valid; } + /** + * Signals that the processing of layer 2 failed. + */ + void InvalidateLayer2() + { + l2_valid = false; + } + /** * Interprets the Layer 3 of the packet as IP and returns a * corresponding object. @@ -140,11 +148,6 @@ public: [[deprecated("Remove in v4.1. Use ToRawPktHdrval() instead.")]] RecordVal* BuildPktHdrVal() const; - /** - * Describes the packet, with standard signature. - */ - void Describe(ODesc* d) const; - /** * Maximal length of a layer 2 address. */ @@ -221,6 +224,17 @@ public: */ bool l3_checksummed; + /** + * Indicates whether the packet should be processed by zeek's + * session analysis in NetSessions. + */ + bool session_analysis = false; + + /** + * Indicates whether this packet should be recorded. + */ + mutable bool dump_packet = false; + // Wrapper to generate a packet-level weird. Has to be public for packet analyzers to use it. void Weird(const char* name); diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 3262e22fe9..5dcb9a900e 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -57,7 +57,7 @@ AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const return dispatcher.Lookup(identifier); } -AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet, +bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet, uint32_t identifier) const { auto inner_analyzer = Lookup(identifier); @@ -69,7 +69,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.", GetAnalyzerName(), identifier); packet->Weird("no_suitable_analyzer_found"); - return AnalyzerResult::Failed; + return false; } DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", @@ -77,7 +77,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* return inner_analyzer->AnalyzePacket(len, data, packet); } -AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const +bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const { if ( default_analyzer ) return default_analyzer->AnalyzePacket(len, data, packet); @@ -85,7 +85,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.", GetAnalyzerName()); packet->Weird("no_suitable_analyzer_found"); - return AnalyzerResult::Terminate; + return true; } } \ No newline at end of file diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 82ddf3a686..8faaeab169 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -8,15 +8,8 @@ namespace zeek::packet_analysis { /** - * Result of packet analysis. + * Main packet analyzer interface. */ -enum class AnalyzerResult { - Failed, // Analysis failed - Terminate // Analysis succeeded and there is no further analysis to do -}; - -using AnalysisResultTuple = std::tuple; - class Analyzer { public: /** @@ -93,9 +86,9 @@ public: * @param data Pointer to the input to process. * @param packet Object that maintains the packet's meta data. * - * @return The outcome of the analysis. + * @return false if the analysis failed, else true. */ - virtual AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, + virtual bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) = 0; protected: @@ -119,9 +112,9 @@ protected: * @param data Reference to the payload pointer into the raw packet. * @param identifier The identifier of the encapsulated protocol. * - * @return The outcome of the analysis. + * @return false if the analysis failed, else true. */ - AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet, + bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet, uint32_t identifier) const; /** @@ -131,9 +124,9 @@ protected: * @param packet The packet to analyze. * @param data Reference to the payload pointer into the raw packet. * - * @return The outcome of the analysis. + * @return false if the analysis failed, else true. */ - AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const; + bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const; private: Tag tag; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 7e44c10883..0d71632574 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -128,7 +128,8 @@ void Manager::ProcessPacket(Packet* packet) return; } - auto result = analyzer->AnalyzePacket(packet->cap_len, packet->data, packet); + if ( ! analyzer->AnalyzePacket(packet->cap_len, packet->data, packet) ) + packet->InvalidateLayer2(); } AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index c38cea1d34..651c29d167 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -81,8 +81,7 @@ ARPAnalyzer::ARPAnalyzer() #define ARPOP_INVREPLY ARPOP_InREPLY #endif -zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { packet->l3_proto = L3_ARP; @@ -90,7 +89,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, if ( sizeof(struct arp_pkthdr) > len ) { packet->Weird("truncated_ARP"); - return AnalyzerResult::Failed; + return false; } // Check whether the packet is OK ("inspired" in tcpdump's print-arp.c). @@ -101,7 +100,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, if ( min_length > len ) { packet->Weird("truncated_ARP"); - return AnalyzerResult::Failed; + return false; } // Check the address description fields. @@ -112,7 +111,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, // don't know how to handle the opcode BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)", ntohs(ah->ar_hrd), ah->ar_hln); - return AnalyzerResult::Failed; + return false; } break; @@ -120,7 +119,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, { // don't know how to proceed BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd)); - return AnalyzerResult::Failed; + return false; } } @@ -132,7 +131,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, // don't know how to handle the opcode BadARPEvent(ah,"corrupt-arp-header (pro=%i, pln=%i)", ntohs(ah->ar_pro), ah->ar_pln); - return AnalyzerResult::Failed; + return false; } break; @@ -140,7 +139,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, { // don't know how to proceed BadARPEvent(ah,"unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro)); - return AnalyzerResult::Failed; + return false; } } @@ -149,7 +148,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, if ( memcmp(packet->l2_src, ar_sha(ah), ah->ar_hln) != 0 ) { BadARPEvent(ah, "weird-arp-sha"); - return AnalyzerResult::Failed; + return false; } // Check the code is supported. @@ -171,20 +170,20 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, { // don't know how to handle the opcode BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op)); - return AnalyzerResult::Failed; + return false; } default: { // invalid opcode BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op)); - return AnalyzerResult::Failed; + return false; } } // Leave packet analyzer land - return AnalyzerResult::Terminate; + return true; } zeek::AddrValPtr ARPAnalyzer::ToAddrVal(const void* addr) diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index f38ed5ff27..710821cb68 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -18,7 +18,7 @@ public: ARPAnalyzer(); ~ARPAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 0bced04b4a..cec9d90288 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -31,15 +31,14 @@ zeek::packet_analysis::AnalyzerPtr EthernetAnalyzer::LoadAnalyzer(const std::str return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal()); } -zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { // Make sure that we actually got an entire ethernet header before trying // to pull bytes out of it. if ( 16 >= len ) { packet->Weird("truncated_ethernet_frame"); - return AnalyzerResult::Failed; + return false; } // Skip past Cisco FabricPath to encapsulated ethernet frame. @@ -50,7 +49,7 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len if ( cfplen + 14 >= len ) { packet->Weird("truncated_link_header_cfp"); - return AnalyzerResult::Failed; + return false; } data += cfplen; @@ -74,7 +73,7 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len if ( 16 >= len ) { packet->Weird("truncated_ethernet_frame"); - return AnalyzerResult::Failed; + return false; } // Let specialized analyzers take over for non Ethernet II frames. @@ -95,10 +94,10 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len if ( eth_analyzer ) return eth_analyzer->AnalyzePacket(len, data, packet); - return AnalyzerResult::Terminate; + return true; } // Undefined (1500 < EtherType < 1536) packet->Weird("undefined_ether_type"); - return AnalyzerResult::Failed; + return false; } diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index b69b4887ef..eef3741a1f 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -13,7 +13,7 @@ public: ~EthernetAnalyzer() override = default; void Initialize() override; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 3612670f10..5466ab2dad 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -10,15 +10,14 @@ FDDIAnalyzer::FDDIAnalyzer() { } -zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool FDDIAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { size_t hdr_size = 13 + 8; // FDDI header + LLC if ( hdr_size >= len ) { packet->Weird("FDDI_analyzer_failed"); - return AnalyzerResult::Failed; + return false; } // We just skip the header and hope for default analysis diff --git a/src/packet_analysis/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h index d0e204e7d9..080834ae71 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -12,7 +12,7 @@ public: FDDIAnalyzer(); ~FDDIAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index 117677b535..c7e6b32982 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -10,26 +10,25 @@ IEEE802_11Analyzer::IEEE802_11Analyzer() { } -zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { u_char len_80211 = 24; // minimal length of data frames if ( len_80211 >= len ) { packet->Weird("truncated_802_11_header"); - return AnalyzerResult::Failed; + return false; } u_char fc_80211 = data[0]; // Frame Control field // Skip non-data frame types (management & control). if ( ! ((fc_80211 >> 2) & 0x02) ) - return AnalyzerResult::Failed; + return false; // Skip subtypes without data. if ( (fc_80211 >> 4) & 0x04 ) - return AnalyzerResult::Failed; + return false; // 'To DS' and 'From DS' flags set indicate use of the 4th // address field. @@ -42,7 +41,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l // Skip in case of A-MSDU subframes indicated by QoS // control field. if ( data[len_80211] & 0x80 ) - return AnalyzerResult::Failed; + return false; len_80211 += 2; } @@ -50,7 +49,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l if ( len_80211 >= len ) { packet->Weird("truncated_802_11_header"); - return AnalyzerResult::Failed; + return false; } // Determine link-layer addresses based @@ -85,7 +84,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l if ( len_80211 >= len ) { packet->Weird("truncated_802_11_header"); - return AnalyzerResult::Failed; + return false; } // Check that the DSAP and SSAP are both SNAP and that the control @@ -102,7 +101,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l // If this is a logical link control frame without the // possibility of having a protocol we care about, we'll // just skip it for now. - return AnalyzerResult::Failed; + return false; } uint32_t protocol = (data[0] << 8) + data[1]; diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h index a9f4916654..e919f9676c 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h @@ -12,7 +12,7 @@ public: IEEE802_11Analyzer(); ~IEEE802_11Analyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index 68eea492da..19fcc052a7 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -12,13 +12,12 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() { } -zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 3 >= len ) { packet->Weird("truncated_radiotap_header"); - return AnalyzerResult::Failed; + return false; } // Skip over the RadioTap header @@ -27,7 +26,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::AnalyzePacket(si if ( rtheader_len >= len ) { packet->Weird("truncated_radiotap_header"); - return AnalyzerResult::Failed; + return false; } return ForwardPacket(len - rtheader_len, data + rtheader_len, packet, DLT_IEEE802_11); diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index 9f75eece30..bbd06d2b0f 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -12,7 +12,7 @@ public: IEEE802_11_RadioAnalyzer(); ~IEEE802_11_RadioAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index 1e0de7d171..2153ee0ebb 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -10,14 +10,13 @@ IPAnalyzer::IPAnalyzer() { } -zeek::packet_analysis::AnalyzerResult IPAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { // Assume we're pointing at IP. Just figure out which version. if ( sizeof(struct ip) >= len ) { packet->Weird("packet_analyzer_truncated_header"); - return AnalyzerResult::Failed; + return false; } auto ip = (const struct ip *)data; @@ -29,7 +28,7 @@ zeek::packet_analysis::AnalyzerResult IPAnalyzer::AnalyzePacket(size_t len, DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.", GetAnalyzerName(), protocol); packet->Weird("no_suitable_analyzer_found"); - return AnalyzerResult::Failed; + return false; } DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", diff --git a/src/packet_analysis/protocol/ip/IP.h b/src/packet_analysis/protocol/ip/IP.h index 7fd5d7a799..22f3b015b7 100644 --- a/src/packet_analysis/protocol/ip/IP.h +++ b/src/packet_analysis/protocol/ip/IP.h @@ -12,7 +12,7 @@ public: IPAnalyzer(); ~IPAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv4/IPv4.cc b/src/packet_analysis/protocol/ipv4/IPv4.cc index 958089c52b..1121ea437d 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.cc +++ b/src/packet_analysis/protocol/ipv4/IPv4.cc @@ -9,12 +9,12 @@ IPv4Analyzer::IPv4Analyzer() { } -zeek::packet_analysis::AnalyzerResult IPv4Analyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IPv4Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { packet->l3_proto = L3_IPV4; packet->hdr_size = static_cast(data - packet->data); + packet->session_analysis = true; // Leave packet analyzer land - return AnalyzerResult::Terminate; + return true; } diff --git a/src/packet_analysis/protocol/ipv4/IPv4.h b/src/packet_analysis/protocol/ipv4/IPv4.h index b2f01e4d34..4a4833abef 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.h +++ b/src/packet_analysis/protocol/ipv4/IPv4.h @@ -12,7 +12,7 @@ public: IPv4Analyzer(); ~IPv4Analyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv6/IPv6.cc b/src/packet_analysis/protocol/ipv6/IPv6.cc index e36444d296..5da788d4b7 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.cc +++ b/src/packet_analysis/protocol/ipv6/IPv6.cc @@ -9,12 +9,12 @@ IPv6Analyzer::IPv6Analyzer() { } -zeek::packet_analysis::AnalyzerResult IPv6Analyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IPv6Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { packet->l3_proto = L3_IPV6; packet->hdr_size = static_cast(data - packet->data); + packet->session_analysis = true; // Leave packet analyzer land - return AnalyzerResult::Terminate; + return true; } diff --git a/src/packet_analysis/protocol/ipv6/IPv6.h b/src/packet_analysis/protocol/ipv6/IPv6.h index 1a03540cf9..a640b3beff 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.h +++ b/src/packet_analysis/protocol/ipv6/IPv6.h @@ -12,7 +12,7 @@ public: IPv6Analyzer(); ~IPv6Analyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 2c998dc8d9..c924b7233d 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -9,14 +9,13 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer() { } -zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { auto len_sll_hdr = sizeof(SLLHeader); if ( len_sll_hdr >= len ) { packet->Weird("truncated_Linux_SLL_header"); - return AnalyzerResult::Failed; + return false; } //TODO: Handle different ARPHRD_types diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h index 65225a1fe6..ec18d92eb1 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -12,7 +12,7 @@ public: LinuxSLLAnalyzer(); ~LinuxSLLAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index f0432a0e17..945b026ea4 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -9,8 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer() { } -zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { // Skip the MPLS label stack. bool end_of_stack = false; @@ -20,7 +19,7 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len, if ( 4 >= len ) { packet->Weird("truncated_link_header"); - return AnalyzerResult::Failed; + return false; } end_of_stack = *(data + 2u) & 0x01; @@ -34,7 +33,7 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len, if ( sizeof(struct ip) >= len ) { packet->Weird("no_ip_in_mpls_payload"); - return AnalyzerResult::Failed; + return false; } auto ip = (const struct ip*)data; @@ -47,9 +46,10 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len, { // Neither IPv4 nor IPv6. packet->Weird("no_ip_in_mpls_payload"); - return AnalyzerResult::Failed; + return false; } packet->hdr_size = (data - packet->data); - return AnalyzerResult::Terminate; + packet->session_analysis = true; + return true; } diff --git a/src/packet_analysis/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h index 58c68b1aa4..b536b934d0 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -12,7 +12,7 @@ public: MPLSAnalyzer(); ~MPLSAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index 49fd6a1656..55a09dc147 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -10,13 +10,12 @@ NFLogAnalyzer::NFLogAnalyzer() { } -zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 4 >= len ) { packet->Weird("truncated_nflog_header"); - return AnalyzerResult::Failed; + return false; } // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html @@ -26,7 +25,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len, if ( version != 0 ) { packet->Weird("unknown_nflog_version"); - return AnalyzerResult::Failed; + return false; } // Skip to TLVs. @@ -41,7 +40,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len, if ( 4 >= len ) { packet->Weird("nflog_no_pcap_payload"); - return AnalyzerResult::Failed; + return false; } // TLV Type and Length values are specified in host byte order @@ -69,7 +68,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len, if ( tlv_len < 4 ) { packet->Weird("nflog_bad_tlv_len"); - return AnalyzerResult::Failed; + return false; } else { diff --git a/src/packet_analysis/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h index 9b725565f9..9e7dfecfea 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -12,7 +12,7 @@ public: NFLogAnalyzer(); ~NFLogAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index 1e54ceaab1..92ecb29315 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -10,13 +10,12 @@ NullAnalyzer::NullAnalyzer() { } -zeek::packet_analysis::AnalyzerResult NullAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool NullAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 4 >= len ) { packet->Weird("null_analyzer_failed"); - return AnalyzerResult::Failed; + return false; } uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0]; diff --git a/src/packet_analysis/protocol/null/Null.h b/src/packet_analysis/protocol/null/Null.h index e82340a690..4179130690 100644 --- a/src/packet_analysis/protocol/null/Null.h +++ b/src/packet_analysis/protocol/null/Null.h @@ -12,7 +12,7 @@ public: NullAnalyzer(); ~NullAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index 4b0531ba8e..8ddf60ac82 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -10,13 +10,12 @@ PPPSerialAnalyzer::PPPSerialAnalyzer() { } -zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool PPPSerialAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 4 >= len ) { packet->Weird("truncated_ppp_serial_header"); - return AnalyzerResult::Failed; + return false; } // Extract protocol identifier diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h index c9c067ccac..9029e1d378 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -12,7 +12,7 @@ public: PPPSerialAnalyzer(); ~PPPSerialAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index adbbb3fbe8..8a7454479d 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -10,13 +10,12 @@ PPPoEAnalyzer::PPPoEAnalyzer() { } -zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool PPPoEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 8 >= len ) { packet->Weird("truncated_pppoe_header"); - return AnalyzerResult::Failed; + return false; } // Extract protocol identifier diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.h b/src/packet_analysis/protocol/pppoe/PPPoE.h index 2c5113815b..cb21a80760 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.h +++ b/src/packet_analysis/protocol/pppoe/PPPoE.h @@ -12,7 +12,7 @@ public: PPPoEAnalyzer(); ~PPPoEAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/skip/Skip.cc b/src/packet_analysis/protocol/skip/Skip.cc index 66002d0811..8b8ee4974f 100644 --- a/src/packet_analysis/protocol/skip/Skip.cc +++ b/src/packet_analysis/protocol/skip/Skip.cc @@ -19,8 +19,7 @@ void SkipAnalyzer::Initialize() skip_bytes = skip_val->AsCount(); } -zeek::packet_analysis::AnalyzerResult SkipAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool SkipAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { return ForwardPacket(len - skip_bytes, data + skip_bytes, packet); } diff --git a/src/packet_analysis/protocol/skip/Skip.h b/src/packet_analysis/protocol/skip/Skip.h index 5cef785d69..544d2ac43a 100644 --- a/src/packet_analysis/protocol/skip/Skip.h +++ b/src/packet_analysis/protocol/skip/Skip.h @@ -13,7 +13,7 @@ public: ~SkipAnalyzer() override = default; void Initialize() override; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index a2b245e1ff..5dc3fe1874 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -10,13 +10,12 @@ VLANAnalyzer::VLANAnalyzer() { } -zeek::packet_analysis::AnalyzerResult VLANAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 4 >= len ) { packet->Weird("truncated_VLAN_header"); - return AnalyzerResult::Failed; + return false; } auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan; diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h index 0e1ffcfb92..bde045b552 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -12,7 +12,7 @@ public: VLANAnalyzer(); ~VLANAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc index ea04b3a8c9..5d431af2c6 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer() { } -zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // Unfortunately some packets on the link might have MPLS labels // while others don't. That means we need to ask the link-layer if @@ -27,7 +27,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + cfplen + 14 >= end_of_data ) { packet->Weird("truncated_link_header_cfp"); - return AnalyzerResult::Failed; + return false; } data += cfplen; @@ -57,7 +57,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return AnalyzerResult::Failed; + return false; } auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan; @@ -75,7 +75,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + 8 >= end_of_data ) { packet->Weird("truncated_link_header"); - return AnalyzerResult::Failed; + return false; } protocol = (data[6] << 8u) + data[7]; @@ -89,7 +89,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c { // Neither IPv4 nor IPv6. packet->Weird("non_ip_packet_in_pppoe_encapsulation"); - return AnalyzerResult::Failed; + return false; } } break; @@ -113,7 +113,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c { // Neither IPv4 nor IPv6. packet->Weird("non_ip_packet_in_ethernet"); - return AnalyzerResult::Failed; + return false; } } @@ -127,7 +127,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return AnalyzerResult::Failed; + return false; } end_of_stack = *(data + 2u) & 0x01; @@ -138,7 +138,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); - return AnalyzerResult::Failed; + return false; } const struct ip* ip = (const struct ip*)data; @@ -151,7 +151,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c { // Neither IPv4 nor IPv6. packet->Weird("no_ip_in_mpls_payload"); - return AnalyzerResult::Failed; + return false; } } diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h index 20ddd66fb5..28bc073832 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.h +++ b/src/packet_analysis/protocol/wrapper/Wrapper.h @@ -12,7 +12,7 @@ public: WrapperAnalyzer(); ~WrapperAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + bool Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc index 3781c62272..29926decbc 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc @@ -10,14 +10,14 @@ Bar::Bar() { } -zeek::packet_analysis::AnalyzerResult Bar::AnalyzePacket(size_t len, +bool Bar::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { // Rudimentary parsing of 802.2 LLC if ( 17 >= len ) { packet->Weird("truncated_llc_header"); - return AnalyzerResult::Failed; + return false; } auto dsap = data[14]; @@ -29,5 +29,5 @@ zeek::packet_analysis::AnalyzerResult Bar::AnalyzePacket(size_t len, val_mgr->Count(ssap), val_mgr->Count(control)); - return AnalyzerResult::Terminate; + return true; } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h index e8d64e0783..e9a7ce8b25 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -10,7 +10,7 @@ public: Bar(); ~Bar() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() {