Improve packet analysis data flow.

2025-10-15 04:58:21 +00:00 · 2020-08-31 20:28:06 +02:00 · 2020-08-31 20:28:06 +02:00 · 38337d799b
commit 38337d799b
parent 90eb97876f
43 changed files with 141 additions and 176 deletions
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@ -61,8 +61,8 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen,

 	if ( data )
 		{
-		// From here we assume that layer 2 is valid. If a packet analyzer encounters
-		// an issue, it will call Packet::Weird(), which sets l2_valid to false.
+		// From here we assume that layer 2 is valid. If the packet analysis fails,
+		// the packet manager will invalidate the packet.
 		l2_valid = true;
 		packet_mgr->ProcessPacket(this);
 		}
@ -76,7 +76,6 @@ const IP_Hdr Packet::IP() const
 void Packet::Weird(const char* name)
 	{
 	sessions->Weird(name, this);
-	l2_valid = false;
 	}

 IntrusivePtr<RecordVal> Packet::ToRawPktHdrVal() const
@ -99,6 +98,7 @@ IntrusivePtr<RecordVal> Packet::ToRawPktHdrVal() const
 	else if ( l3_proto == L3_ARP )
 		l3 = BifEnum::L3_ARP;

+	// TODO: Get rid of hardcoded l3 protocols.
 	// l2_hdr layout:
 	//      encap: link_encap;      ##< L2 link encapsulation
 	//      len: count;		##< Total frame length on wire
@ -169,32 +169,4 @@ ValPtr Packet::FmtEUI48(const u_char* mac) const
 	return make_intrusive<StringVal>(buf);
 	}

-void Packet::Describe(ODesc* d) const
-	{
-	switch ( l3_proto )
-		{
-		case L3_ARP:
-			d->Add("ARP");
-			break;
-		case L3_IPV4:
-			d->Add("IPv4");
-			break;
-		case L3_IPV6:
-			d->Add("IPv6");
-			break;
-		default:
-			d->Add("Unknown L3 protocol");
-		}
-
-	// Add IP-specific information
-	if ( l3_proto == L3_IPV4 || l3_proto == L3_IPV6 )
-		{
-		const IP_Hdr ip = IP();
-		d->Add(": ");
-		d->Add(ip.SrcAddr());
-		d->Add("->");
-		d->Add(ip.DstAddr());
-		}
-	}
-
 } // namespace zeek
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@ -125,6 +125,14 @@ public:
 		return l2_valid;
 		}

+	/**
+	 * Signals that the processing of layer 2 failed.
+	 */
+	void InvalidateLayer2()
+		{
+		l2_valid = false;
+		}
+
 	/**
 	 * Interprets the Layer 3 of the packet as IP and returns a
 	 * corresponding object.
@ -140,11 +148,6 @@ public:
 	[[deprecated("Remove in v4.1.  Use ToRawPktHdrval() instead.")]]
 	RecordVal* BuildPktHdrVal() const;

-	/**
-	 * Describes the packet, with standard signature.
-	 */
-	void Describe(ODesc* d) const;
-
 	/**
 	 * Maximal length of a layer 2 address.
 	 */
@ -221,6 +224,17 @@ public:
 	 */
 	bool l3_checksummed;

+	/**
+	 * Indicates whether the packet should be processed by zeek's
+	 * session analysis in NetSessions.
+	 */
+	bool session_analysis = false;
+
+	/**
+	 * Indicates whether this packet should be recorded.
+	 */
+	mutable bool dump_packet = false;
+
 	// Wrapper to generate a packet-level weird. Has to be public for packet analyzers to use it.
 	void Weird(const char* name);