Improve packet analysis data flow.

2025-10-04 07:38:19 +00:00 · 2020-08-31 20:28:06 +02:00 · 2020-08-31 20:28:06 +02:00 · 38337d799b
commit 38337d799b
parent 90eb97876f
43 changed files with 141 additions and 176 deletions
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -85,7 +85,6 @@ NetSessions::NetSessions()
 	packet_filter = nullptr;
 	dump_this_packet = false;
 	num_packets_processed = 0;
 	static auto pkt_profile_file = id::find_val("pkt_profile_file");
@ -132,10 +131,15 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
 	++num_packets_processed;
-	dump_this_packet = false;
+	bool dumped_packet = false;
-
+	if ( pkt->dump_packet || zeek::detail::record_all_packets )
-	if ( zeek::detail::record_all_packets )
+		{
 		DumpPacket(pkt);
 		dumped_packet = true;
 		}
 	if ( ! pkt->session_analysis )
 		return;
 	if ( pkt->hdr_size > pkt->cap_len )
 		{
@ -153,7 +157,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
 			return;
 			}
-		const struct ip* ip = (const struct ip*) (pkt->data + pkt->hdr_size);
+		auto ip = (const struct ip*) (pkt->data + pkt->hdr_size);
 		IP_Hdr ip_hdr(ip, false);
 		DoNextPacket(t, pkt, &ip_hdr, nullptr);
 		}
@ -170,19 +174,14 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
 		DoNextPacket(t, pkt, &ip_hdr, nullptr);
 		}
 	else if ( pkt->l3_proto == L3_ARP )
 		{
 		// Do nothing here as ARP has moved into a packet analyzer
 		//TODO: Revisit the use of packet's l3_proto
 		}
 	else
 		{
 		Weird("unknown_packet_type", pkt);
 		return;
 		}
-	if ( dump_this_packet && ! zeek::detail::record_all_packets )
+	// Check whether packet should be recorded based on session analysis
 	if ( pkt->dump_packet && ! dumped_packet )
 		DumpPacket(pkt);
 	}
@ -283,7 +282,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 	if ( ip_hdr->IsFragment() )
 		{
-		dump_this_packet = true;	// always record fragments
+		pkt->dump_packet = true;	// always record fragments
 		if ( caplen < len )
 			{
@ -326,7 +325,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 	// there, it's always the last.
 	if ( ip_hdr->LastHeader() == IPPROTO_ESP )
 		{
-		dump_this_packet = true;
+		pkt->dump_packet = true;
 		if ( esp_packet )
 			event_mgr.Enqueue(esp_packet, ip_hdr->ToPktHdrVal());
@ -728,7 +727,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 	else if ( record_packet )
 		{
 		if ( record_content )
-			dump_this_packet = true;	// save the whole thing
+			pkt->dump_packet = true;	// save the whole thing
 		else
 			{
@ -1322,7 +1321,7 @@ void NetSessions::Weird(const char* name, const Packet* pkt,
                        const EncapsulationStack* encap, const char* addl)
 	{
 	if ( pkt )
-		dump_this_packet = true;
+		pkt->dump_packet = true;
 	if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
 		reporter->Weird(util::fmt("%s_in_tunnel", name), addl);
--- a/src/Sessions.h
+++ b/src/Sessions.h
@ -239,7 +239,6 @@ protected:
 	detail::PacketFilter* packet_filter;
 	uint64_t num_packets_processed;
 	detail::PacketProfiler* pkt_profiler;
 	bool dump_this_packet;	// if true, current packet should be recorded
 };
 namespace detail {
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@ -61,8 +61,8 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen,
 	if ( data )
 		{
-		// From here we assume that layer 2 is valid. If a packet analyzer encounters
+		// From here we assume that layer 2 is valid. If the packet analysis fails,
-		// an issue, it will call Packet::Weird(), which sets l2_valid to false.
+		// the packet manager will invalidate the packet.
 		l2_valid = true;
 		packet_mgr->ProcessPacket(this);
 		}
@ -76,7 +76,6 @@ const IP_Hdr Packet::IP() const
 void Packet::Weird(const char* name)
 	{
 	sessions->Weird(name, this);
 	l2_valid = false;
 	}
 IntrusivePtr<RecordVal> Packet::ToRawPktHdrVal() const
@ -99,6 +98,7 @@ IntrusivePtr<RecordVal> Packet::ToRawPktHdrVal() const
 	else if ( l3_proto == L3_ARP )
 		l3 = BifEnum::L3_ARP;
 	// TODO: Get rid of hardcoded l3 protocols.
 	// l2_hdr layout:
 	//      encap: link_encap;      ##< L2 link encapsulation
 	//      len: count;		##< Total frame length on wire
@ -169,32 +169,4 @@ ValPtr Packet::FmtEUI48(const u_char* mac) const
 	return make_intrusive<StringVal>(buf);
 	}
 void Packet::Describe(ODesc* d) const
 	{
 	switch ( l3_proto )
 		{
 		case L3_ARP:
 			d->Add("ARP");
 			break;
 		case L3_IPV4:
 			d->Add("IPv4");
 			break;
 		case L3_IPV6:
 			d->Add("IPv6");
 			break;
 		default:
 			d->Add("Unknown L3 protocol");
 		}
 	// Add IP-specific information
 	if ( l3_proto == L3_IPV4 || l3_proto == L3_IPV6 )
 		{
 		const IP_Hdr ip = IP();
 		d->Add(": ");
 		d->Add(ip.SrcAddr());
 		d->Add("->");
 		d->Add(ip.DstAddr());
 		}
 	}
 } // namespace zeek
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@ -125,6 +125,14 @@ public:
 		return l2_valid;
 		}
 	/**
 	 * Signals that the processing of layer 2 failed.
 	 */
 	void InvalidateLayer2()
 		{
 		l2_valid = false;
 		}
 	/**
 	 * Interprets the Layer 3 of the packet as IP and returns a
 	 * corresponding object.
@ -140,11 +148,6 @@ public:
 	[[deprecated("Remove in v4.1.  Use ToRawPktHdrval() instead.")]]
 	RecordVal* BuildPktHdrVal() const;
 	/**
 	 * Describes the packet, with standard signature.
 	 */
 	void Describe(ODesc* d) const;
 	/**
 	 * Maximal length of a layer 2 address.
 	 */
@ -221,6 +224,17 @@ public:
 	 */
 	bool l3_checksummed;
 	/**
 	 * Indicates whether the packet should be processed by zeek's
 	 * session analysis in NetSessions.
 	 */
 	bool session_analysis = false;
 	/**
 	 * Indicates whether this packet should be recorded.
 	 */
 	mutable bool dump_packet = false;
 	// Wrapper to generate a packet-level weird. Has to be public for packet analyzers to use it.
 	void Weird(const char* name);
--- a/src/packet_analysis/Analyzer.cc
+++ b/src/packet_analysis/Analyzer.cc
@ -57,7 +57,7 @@ AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const
 	return dispatcher.Lookup(identifier);
 	}
-AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
+bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
 		uint32_t identifier) const
 	{
 	auto inner_analyzer = Lookup(identifier);
@ -69,7 +69,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet*
 		DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.",
 				GetAnalyzerName(), identifier);
 		packet->Weird("no_suitable_analyzer_found");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.",
@ -77,7 +77,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet*
 	return inner_analyzer->AnalyzePacket(len, data, packet);
 	}
-AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const
+bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const
 	{
 	if ( default_analyzer )
 		return default_analyzer->AnalyzePacket(len, data, packet);
@ -85,7 +85,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet*
 	DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.",
 			GetAnalyzerName());
 	packet->Weird("no_suitable_analyzer_found");
-	return AnalyzerResult::Terminate;
+	return true;
 	}
 }
--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@ -8,15 +8,8 @@
 namespace zeek::packet_analysis {
 /**
- * Result of packet analysis.
+ * Main packet analyzer interface.
 */
 enum class AnalyzerResult {
 	Failed,   // Analysis failed
 	Terminate // Analysis succeeded and there is no further analysis to do
 };
 using AnalysisResultTuple = std::tuple<AnalyzerResult, uint32_t>;
 class Analyzer {
 public:
 	/**
@ -93,9 +86,9 @@ public:
 	 * @param data Pointer to the input to process.
 	 * @param packet Object that maintains the packet's meta data.
 	 *
-	 * @return The outcome of the analysis.
+	 * @return false if the analysis failed, else true.
 	 */
-	virtual AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data,
+	virtual bool AnalyzePacket(size_t len, const uint8_t* data,
 			Packet* packet) = 0;
 protected:
@ -119,9 +112,9 @@ protected:
 	 * @param data Reference to the payload pointer into the raw packet.
 	 * @param identifier The identifier of the encapsulated protocol.
 	 *
-	 * @return The outcome of the analysis.
+	 * @return false if the analysis failed, else true.
 	 */
-	AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
+	bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
 	                                          uint32_t identifier) const;
 	/**
@ -131,9 +124,9 @@ protected:
 	 * @param packet The packet to analyze.
 	 * @param data Reference to the payload pointer into the raw packet.
 	 *
-	 * @return The outcome of the analysis.
+	 * @return false if the analysis failed, else true.
 	 */
-	AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;
+	bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;
 private:
 	Tag tag;
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@ -128,7 +128,8 @@ void Manager::ProcessPacket(Packet* packet)
 		return;
 		}
-	auto result = analyzer->AnalyzePacket(packet->cap_len, packet->data, packet);
+	if ( ! analyzer->AnalyzePacket(packet->cap_len, packet->data, packet) )
 		packet->InvalidateLayer2();
 	}
 AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag)
--- a/src/packet_analysis/protocol/arp/ARP.cc
+++ b/src/packet_analysis/protocol/arp/ARP.cc
@ -81,8 +81,7 @@ ARPAnalyzer::ARPAnalyzer()
 #define ARPOP_INVREPLY ARPOP_InREPLY
 #endif
-zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
+bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	packet->l3_proto = L3_ARP;
@ -90,7 +89,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
 	if ( sizeof(struct arp_pkthdr) > len )
 		{
 		packet->Weird("truncated_ARP");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Check whether the packet is OK ("inspired" in tcpdump's print-arp.c).
@ -101,7 +100,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
 	if ( min_length > len )
 		{
 		packet->Weird("truncated_ARP");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Check the address description fields.
@ -112,7 +111,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
 				// don't know how to handle the opcode
 				BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)",
 						ntohs(ah->ar_hrd), ah->ar_hln);
-				return AnalyzerResult::Failed;
+				return false;
 				}
 			break;
@ -120,7 +119,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
 			{
 			// don't know how to proceed
 			BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd));
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		}
@ -132,7 +131,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
 				// don't know how to handle the opcode
 				BadARPEvent(ah,"corrupt-arp-header (pro=%i, pln=%i)",
 						ntohs(ah->ar_pro), ah->ar_pln);
-				return AnalyzerResult::Failed;
+				return false;
 				}
 			break;
@ -140,7 +139,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
 			{
 			// don't know how to proceed
 			BadARPEvent(ah,"unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro));
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		}
@ -149,7 +148,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
 	if ( memcmp(packet->l2_src, ar_sha(ah), ah->ar_hln) != 0 )
 		{
 		BadARPEvent(ah, "weird-arp-sha");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Check the code is supported.
@ -171,20 +170,20 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
 			{
 			// don't know how to handle the opcode
 			BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op));
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		default:
 			{
 			// invalid opcode
 			BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op));
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		}
 	// Leave packet analyzer land
-	return AnalyzerResult::Terminate;
+	return true;
 	}
 zeek::AddrValPtr ARPAnalyzer::ToAddrVal(const void* addr)
--- a/src/packet_analysis/protocol/arp/ARP.h
+++ b/src/packet_analysis/protocol/arp/ARP.h
@ -18,7 +18,7 @@ public:
 	ARPAnalyzer();
 	~ARPAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/ethernet/Ethernet.cc
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc
@ -31,15 +31,14 @@ zeek::packet_analysis::AnalyzerPtr EthernetAnalyzer::LoadAnalyzer(const std::str
 	return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal());
 	}
-zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len,
+bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	// Make sure that we actually got an entire ethernet header before trying
 	// to pull bytes out of it.
 	if ( 16 >= len )
 		{
 		packet->Weird("truncated_ethernet_frame");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Skip past Cisco FabricPath to encapsulated ethernet frame.
@ -50,7 +49,7 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len
 		if ( cfplen + 14 >= len )
 			{
 			packet->Weird("truncated_link_header_cfp");
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		data += cfplen;
@ -74,7 +73,7 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len
 		if ( 16 >= len )
 			{
 			packet->Weird("truncated_ethernet_frame");
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		// Let specialized analyzers take over for non Ethernet II frames.
@ -95,10 +94,10 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len
 		if ( eth_analyzer )
 			return eth_analyzer->AnalyzePacket(len, data, packet);
-		return AnalyzerResult::Terminate;
+		return true;
 		}
 	// Undefined (1500 < EtherType < 1536)
 	packet->Weird("undefined_ether_type");
-	return AnalyzerResult::Failed;
+	return false;
 	}
--- a/src/packet_analysis/protocol/ethernet/Ethernet.h
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.h
@ -13,7 +13,7 @@ public:
 	~EthernetAnalyzer() override = default;
 	void Initialize() override;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/fddi/FDDI.cc
+++ b/src/packet_analysis/protocol/fddi/FDDI.cc
@ -10,15 +10,14 @@ FDDIAnalyzer::FDDIAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::AnalyzePacket(size_t len,
+bool FDDIAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	size_t hdr_size = 13 + 8; // FDDI header + LLC
 	if ( hdr_size >= len )
 		{
 		packet->Weird("FDDI_analyzer_failed");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// We just skip the header and hope for default analysis
--- a/src/packet_analysis/protocol/fddi/FDDI.h
+++ b/src/packet_analysis/protocol/fddi/FDDI.h
@ -12,7 +12,7 @@ public:
 	FDDIAnalyzer();
 	~FDDIAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
@ -10,26 +10,25 @@ IEEE802_11Analyzer::IEEE802_11Analyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t len,
+bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	u_char len_80211 = 24; // minimal length of data frames
 	if ( len_80211 >= len )
 		{
 		packet->Weird("truncated_802_11_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	u_char fc_80211 = data[0]; // Frame Control field
 	// Skip non-data frame types (management & control).
 	if ( ! ((fc_80211 >> 2) & 0x02) )
-		return AnalyzerResult::Failed;
+		return false;
 	// Skip subtypes without data.
 	if ( (fc_80211 >> 4) & 0x04 )
-		return AnalyzerResult::Failed;
+		return false;
 	// 'To DS' and 'From DS' flags set indicate use of the 4th
 	// address field.
@ -42,7 +41,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l
 		// Skip in case of A-MSDU subframes indicated by QoS
 		// control field.
 		if ( data[len_80211] & 0x80 )
-			return AnalyzerResult::Failed;
+			return false;
 		len_80211 += 2;
 		}
@ -50,7 +49,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l
 	if ( len_80211 >= len )
 		{
 		packet->Weird("truncated_802_11_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Determine link-layer addresses based
@ -85,7 +84,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l
 	if ( len_80211 >= len )
 		{
 		packet->Weird("truncated_802_11_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Check that the DSAP and SSAP are both SNAP and that the control
@ -102,7 +101,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l
 		// If this is a logical link control frame without the
 		// possibility of having a protocol we care about, we'll
 		// just skip it for now.
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	uint32_t protocol = (data[0] << 8) + data[1];
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
@ -12,7 +12,7 @@ public:
 	IEEE802_11Analyzer();
 	~IEEE802_11Analyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc
+++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc
@ -12,13 +12,12 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len,
+bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	if ( 3 >= len )
 		{
 		packet->Weird("truncated_radiotap_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Skip over the RadioTap header
@ -27,7 +26,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::AnalyzePacket(si
 	if ( rtheader_len >= len )
 		{
 		packet->Weird("truncated_radiotap_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	return ForwardPacket(len - rtheader_len, data + rtheader_len, packet, DLT_IEEE802_11);
--- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h
+++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h
@ -12,7 +12,7 @@ public:
 	IEEE802_11_RadioAnalyzer();
 	~IEEE802_11_RadioAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/ip/IP.cc
+++ b/src/packet_analysis/protocol/ip/IP.cc
@ -10,14 +10,13 @@ IPAnalyzer::IPAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult IPAnalyzer::AnalyzePacket(size_t len,
+bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	// Assume we're pointing at IP. Just figure out which version.
 	if ( sizeof(struct ip) >= len )
 		{
 		packet->Weird("packet_analyzer_truncated_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	auto ip = (const struct ip *)data;
@ -29,7 +28,7 @@ zeek::packet_analysis::AnalyzerResult IPAnalyzer::AnalyzePacket(size_t len,
 		DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.",
 				GetAnalyzerName(), protocol);
 		packet->Weird("no_suitable_analyzer_found");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.",
--- a/src/packet_analysis/protocol/ip/IP.h
+++ b/src/packet_analysis/protocol/ip/IP.h
@ -12,7 +12,7 @@ public:
 	IPAnalyzer();
 	~IPAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/ipv4/IPv4.cc
+++ b/src/packet_analysis/protocol/ipv4/IPv4.cc
@ -9,12 +9,12 @@ IPv4Analyzer::IPv4Analyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult IPv4Analyzer::AnalyzePacket(size_t len,
+bool IPv4Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	packet->l3_proto = L3_IPV4;
 	packet->hdr_size = static_cast<uint32_t>(data - packet->data);
 	packet->session_analysis = true;
 	// Leave packet analyzer land
-	return AnalyzerResult::Terminate;
+	return true;
 	}
--- a/src/packet_analysis/protocol/ipv4/IPv4.h
+++ b/src/packet_analysis/protocol/ipv4/IPv4.h
@ -12,7 +12,7 @@ public:
 	IPv4Analyzer();
 	~IPv4Analyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/ipv6/IPv6.cc
+++ b/src/packet_analysis/protocol/ipv6/IPv6.cc
@ -9,12 +9,12 @@ IPv6Analyzer::IPv6Analyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult IPv6Analyzer::AnalyzePacket(size_t len,
+bool IPv6Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	packet->l3_proto = L3_IPV6;
 	packet->hdr_size = static_cast<uint32_t>(data - packet->data);
 	packet->session_analysis = true;
 	// Leave packet analyzer land
-	return AnalyzerResult::Terminate;
+	return true;
 	}
--- a/src/packet_analysis/protocol/ipv6/IPv6.h
+++ b/src/packet_analysis/protocol/ipv6/IPv6.h
@ -12,7 +12,7 @@ public:
 	IPv6Analyzer();
 	~IPv6Analyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc
+++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc
@ -9,14 +9,13 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::AnalyzePacket(size_t len,
+bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	auto len_sll_hdr = sizeof(SLLHeader);
 	if ( len_sll_hdr >= len )
 		{
 		packet->Weird("truncated_Linux_SLL_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	//TODO: Handle different ARPHRD_types
--- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h
+++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h
@ -12,7 +12,7 @@ public:
 	LinuxSLLAnalyzer();
 	~LinuxSLLAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/mpls/MPLS.cc
+++ b/src/packet_analysis/protocol/mpls/MPLS.cc
@ -9,8 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len,
+bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	// Skip the MPLS label stack.
 	bool end_of_stack = false;
@ -20,7 +19,7 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len,
 		if ( 4 >= len )
 			{
 			packet->Weird("truncated_link_header");
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		end_of_stack = *(data + 2u) & 0x01;
@ -34,7 +33,7 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len,
 	if ( sizeof(struct ip) >= len )
 		{
 		packet->Weird("no_ip_in_mpls_payload");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	auto ip = (const struct ip*)data;
@ -47,9 +46,10 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len,
 		{
 		// Neither IPv4 nor IPv6.
 		packet->Weird("no_ip_in_mpls_payload");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	packet->hdr_size = (data - packet->data);
-	return AnalyzerResult::Terminate;
+	packet->session_analysis = true;
 	return true;
 	}
--- a/src/packet_analysis/protocol/mpls/MPLS.h
+++ b/src/packet_analysis/protocol/mpls/MPLS.h
@ -12,7 +12,7 @@ public:
 	MPLSAnalyzer();
 	~MPLSAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/nflog/NFLog.cc
+++ b/src/packet_analysis/protocol/nflog/NFLog.cc
@ -10,13 +10,12 @@ NFLogAnalyzer::NFLogAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len,
+bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	if ( 4 >= len )
 		{
 		packet->Weird("truncated_nflog_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html
@ -26,7 +25,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len,
 	if ( version != 0 )
 		{
 		packet->Weird("unknown_nflog_version");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Skip to TLVs.
@ -41,7 +40,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len,
 		if ( 4 >= len )
 			{
 			packet->Weird("nflog_no_pcap_payload");
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		// TLV Type and Length values are specified in host byte order
@ -69,7 +68,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len,
 			if ( tlv_len < 4 )
 				{
 				packet->Weird("nflog_bad_tlv_len");
-				return AnalyzerResult::Failed;
+				return false;
 				}
 			else
 				{
--- a/src/packet_analysis/protocol/nflog/NFLog.h
+++ b/src/packet_analysis/protocol/nflog/NFLog.h
@ -12,7 +12,7 @@ public:
 	NFLogAnalyzer();
 	~NFLogAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/null/Null.cc
+++ b/src/packet_analysis/protocol/null/Null.cc
@ -10,13 +10,12 @@ NullAnalyzer::NullAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult NullAnalyzer::AnalyzePacket(size_t len,
+bool NullAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	if ( 4 >= len )
 		{
 		packet->Weird("null_analyzer_failed");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0];
--- a/src/packet_analysis/protocol/null/Null.h
+++ b/src/packet_analysis/protocol/null/Null.h
@ -12,7 +12,7 @@ public:
 	NullAnalyzer();
 	~NullAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc
+++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc
@ -10,13 +10,12 @@ PPPSerialAnalyzer::PPPSerialAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::AnalyzePacket(size_t len,
+bool PPPSerialAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	if ( 4 >= len )
 		{
 		packet->Weird("truncated_ppp_serial_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Extract protocol identifier
--- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h
+++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h
@ -12,7 +12,7 @@ public:
 	PPPSerialAnalyzer();
 	~PPPSerialAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/pppoe/PPPoE.cc
+++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc
@ -10,13 +10,12 @@ PPPoEAnalyzer::PPPoEAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::AnalyzePacket(size_t len,
+bool PPPoEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	if ( 8 >= len )
 		{
 		packet->Weird("truncated_pppoe_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	// Extract protocol identifier
--- a/src/packet_analysis/protocol/pppoe/PPPoE.h
+++ b/src/packet_analysis/protocol/pppoe/PPPoE.h
@ -12,7 +12,7 @@ public:
 	PPPoEAnalyzer();
 	~PPPoEAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/skip/Skip.cc
+++ b/src/packet_analysis/protocol/skip/Skip.cc
@ -19,8 +19,7 @@ void SkipAnalyzer::Initialize()
 	skip_bytes = skip_val->AsCount();
 	}
-zeek::packet_analysis::AnalyzerResult SkipAnalyzer::AnalyzePacket(size_t len,
+bool SkipAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	return ForwardPacket(len - skip_bytes, data + skip_bytes, packet);
 	}
--- a/src/packet_analysis/protocol/skip/Skip.h
+++ b/src/packet_analysis/protocol/skip/Skip.h
@ -13,7 +13,7 @@ public:
 	~SkipAnalyzer() override = default;
 	void Initialize() override;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/vlan/VLAN.cc
+++ b/src/packet_analysis/protocol/vlan/VLAN.cc
@ -10,13 +10,12 @@ VLANAnalyzer::VLANAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult VLANAnalyzer::AnalyzePacket(size_t len,
+bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		const uint8_t* data, Packet* packet)
 	{
 	if ( 4 >= len )
 		{
 		packet->Weird("truncated_VLAN_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
--- a/src/packet_analysis/protocol/vlan/VLAN.h
+++ b/src/packet_analysis/protocol/vlan/VLAN.h
@ -12,7 +12,7 @@ public:
 	VLANAnalyzer();
 	~VLANAnalyzer() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/src/packet_analysis/protocol/wrapper/Wrapper.cc
+++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc
@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
+bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 	{
 	// Unfortunately some packets on the link might have MPLS labels
 	// while others don't. That means we need to ask the link-layer if
@ -27,7 +27,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
 		if ( data + cfplen + 14 >= end_of_data )
 			{
 			packet->Weird("truncated_link_header_cfp");
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		data += cfplen;
@ -57,7 +57,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
 				if ( data + 4 >= end_of_data )
 					{
 					packet->Weird("truncated_link_header");
-					return AnalyzerResult::Failed;
+					return false;
 					}
 				auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan;
@ -75,7 +75,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
 				if ( data + 8 >= end_of_data )
 					{
 					packet->Weird("truncated_link_header");
-					return AnalyzerResult::Failed;
+					return false;
 					}
 				protocol = (data[6] << 8u) + data[7];
@ -89,7 +89,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
 					{
 					// Neither IPv4 nor IPv6.
 					packet->Weird("non_ip_packet_in_pppoe_encapsulation");
-					return AnalyzerResult::Failed;
+					return false;
 					}
 				}
 			break;
@ -113,7 +113,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
 			{
 			// Neither IPv4 nor IPv6.
 			packet->Weird("non_ip_packet_in_ethernet");
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		}
@ -127,7 +127,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
 			if ( data + 4 >= end_of_data )
 				{
 				packet->Weird("truncated_link_header");
-				return AnalyzerResult::Failed;
+				return false;
 				}
 			end_of_stack = *(data + 2u) & 0x01;
@ -138,7 +138,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
 		if ( data + sizeof(struct ip) >= end_of_data )
 			{
 			packet->Weird("no_ip_in_mpls_payload");
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		const struct ip* ip = (const struct ip*)data;
@ -151,7 +151,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
 			{
 			// Neither IPv4 nor IPv6.
 			packet->Weird("no_ip_in_mpls_payload");
-			return AnalyzerResult::Failed;
+			return false;
 			}
 		}
--- a/src/packet_analysis/protocol/wrapper/Wrapper.h
+++ b/src/packet_analysis/protocol/wrapper/Wrapper.h
@ -12,7 +12,7 @@ public:
 	WrapperAnalyzer();
 	~WrapperAnalyzer() override = default;
-	AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
+	bool Analyze(Packet* packet, const uint8_t*& data) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
--- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc
+++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc
@ -10,14 +10,14 @@ Bar::Bar()
 	{
 	}
-zeek::packet_analysis::AnalyzerResult Bar::AnalyzePacket(size_t len,
+bool Bar::AnalyzePacket(size_t len,
 		const uint8_t* data, Packet* packet)
 	{
 	// Rudimentary parsing of 802.2 LLC
 	if ( 17 >= len )
 		{
 		packet->Weird("truncated_llc_header");
-		return AnalyzerResult::Failed;
+		return false;
 		}
 	auto dsap = data[14];
@ -29,5 +29,5 @@ zeek::packet_analysis::AnalyzerResult Bar::AnalyzePacket(size_t len,
 		val_mgr->Count(ssap),
 		val_mgr->Count(control));
-	return AnalyzerResult::Terminate;
+	return true;
 	}
--- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h
+++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h
@ -10,7 +10,7 @@ public:
 	Bar();
 	~Bar() override = default;
-	AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static AnalyzerPtr Instantiate()
 		{