mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
Improve packet analysis data flow.
This commit is contained in:
Jan Grashoefer
Tim Wojtulewicz
parent
90eb97876f
commit
38337d799b
43 changed files with 141 additions and 176 deletions
|
|
@ -85,7 +85,6 @@ NetSessions::NetSessions()
|
|||
|
||||
packet_filter = nullptr;
|
||||
|
||||
dump_this_packet = false;
|
||||
num_packets_processed = 0;
|
||||
static auto pkt_profile_file = id::find_val("pkt_profile_file");
|
||||
|
||||
|
|
@ -132,10 +131,15 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
|
|||
|
||||
++num_packets_processed;
|
||||
|
||||
dump_this_packet = false;
|
||||
|
||||
if ( zeek::detail::record_all_packets )
|
||||
bool dumped_packet = false;
|
||||
if ( pkt->dump_packet || zeek::detail::record_all_packets )
|
||||
{
|
||||
DumpPacket(pkt);
|
||||
dumped_packet = true;
|
||||
}
|
||||
|
||||
if ( ! pkt->session_analysis )
|
||||
return;
|
||||
|
||||
if ( pkt->hdr_size > pkt->cap_len )
|
||||
{
|
||||
|
|
@ -153,7 +157,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
|
|||
return;
|
||||
}
|
||||
|
||||
const struct ip* ip = (const struct ip*) (pkt->data + pkt->hdr_size);
|
||||
auto ip = (const struct ip*) (pkt->data + pkt->hdr_size);
|
||||
IP_Hdr ip_hdr(ip, false);
|
||||
DoNextPacket(t, pkt, &ip_hdr, nullptr);
|
||||
}
|
||||
|
|
@ -170,19 +174,14 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
|
|||
DoNextPacket(t, pkt, &ip_hdr, nullptr);
|
||||
}
|
||||
|
||||
else if ( pkt->l3_proto == L3_ARP )
|
||||
{
|
||||
// Do nothing here as ARP has moved into a packet analyzer
|
||||
//TODO: Revisit the use of packet's l3_proto
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
Weird("unknown_packet_type", pkt);
|
||||
return;
|
||||
}
|
||||
|
||||
if ( dump_this_packet && ! zeek::detail::record_all_packets )
|
||||
// Check whether packet should be recorded based on session analysis
|
||||
if ( pkt->dump_packet && ! dumped_packet )
|
||||
DumpPacket(pkt);
|
||||
}
|
||||
|
||||
|
|
@ -283,7 +282,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
|||
|
||||
if ( ip_hdr->IsFragment() )
|
||||
{
|
||||
dump_this_packet = true; // always record fragments
|
||||
pkt->dump_packet = true; // always record fragments
|
||||
|
||||
if ( caplen < len )
|
||||
{
|
||||
|
|
@ -326,7 +325,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
|||
// there, it's always the last.
|
||||
if ( ip_hdr->LastHeader() == IPPROTO_ESP )
|
||||
{
|
||||
dump_this_packet = true;
|
||||
pkt->dump_packet = true;
|
||||
if ( esp_packet )
|
||||
event_mgr.Enqueue(esp_packet, ip_hdr->ToPktHdrVal());
|
||||
|
||||
|
|
@ -728,7 +727,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
|||
else if ( record_packet )
|
||||
{
|
||||
if ( record_content )
|
||||
dump_this_packet = true; // save the whole thing
|
||||
pkt->dump_packet = true; // save the whole thing
|
||||
|
||||
else
|
||||
{
|
||||
|
|
@ -1322,7 +1321,7 @@ void NetSessions::Weird(const char* name, const Packet* pkt,
|
|||
const EncapsulationStack* encap, const char* addl)
|
||||
{
|
||||
if ( pkt )
|
||||
dump_this_packet = true;
|
||||
pkt->dump_packet = true;
|
||||
|
||||
if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
|
||||
reporter->Weird(util::fmt("%s_in_tunnel", name), addl);
|
||||
|
|
|
|||
|
|
@ -239,7 +239,6 @@ protected:
|
|||
detail::PacketFilter* packet_filter;
|
||||
uint64_t num_packets_processed;
|
||||
detail::PacketProfiler* pkt_profiler;
|
||||
bool dump_this_packet; // if true, current packet should be recorded
|
||||
};
|
||||
|
||||
namespace detail {
|
||||
|
|
|
|||
|
|
@ -61,8 +61,8 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen,
|
|||
|
||||
if ( data )
|
||||
{
|
||||
// From here we assume that layer 2 is valid. If a packet analyzer encounters
|
||||
// an issue, it will call Packet::Weird(), which sets l2_valid to false.
|
||||
// From here we assume that layer 2 is valid. If the packet analysis fails,
|
||||
// the packet manager will invalidate the packet.
|
||||
l2_valid = true;
|
||||
packet_mgr->ProcessPacket(this);
|
||||
}
|
||||
|
|
@ -76,7 +76,6 @@ const IP_Hdr Packet::IP() const
|
|||
void Packet::Weird(const char* name)
|
||||
{
|
||||
sessions->Weird(name, this);
|
||||
l2_valid = false;
|
||||
}
|
||||
|
||||
IntrusivePtr<RecordVal> Packet::ToRawPktHdrVal() const
|
||||
|
|
@ -99,6 +98,7 @@ IntrusivePtr<RecordVal> Packet::ToRawPktHdrVal() const
|
|||
else if ( l3_proto == L3_ARP )
|
||||
l3 = BifEnum::L3_ARP;
|
||||
|
||||
// TODO: Get rid of hardcoded l3 protocols.
|
||||
// l2_hdr layout:
|
||||
// encap: link_encap; ##< L2 link encapsulation
|
||||
// len: count; ##< Total frame length on wire
|
||||
|
|
@ -169,32 +169,4 @@ ValPtr Packet::FmtEUI48(const u_char* mac) const
|
|||
return make_intrusive<StringVal>(buf);
|
||||
}
|
||||
|
||||
void Packet::Describe(ODesc* d) const
|
||||
{
|
||||
switch ( l3_proto )
|
||||
{
|
||||
case L3_ARP:
|
||||
d->Add("ARP");
|
||||
break;
|
||||
case L3_IPV4:
|
||||
d->Add("IPv4");
|
||||
break;
|
||||
case L3_IPV6:
|
||||
d->Add("IPv6");
|
||||
break;
|
||||
default:
|
||||
d->Add("Unknown L3 protocol");
|
||||
}
|
||||
|
||||
// Add IP-specific information
|
||||
if ( l3_proto == L3_IPV4 || l3_proto == L3_IPV6 )
|
||||
{
|
||||
const IP_Hdr ip = IP();
|
||||
d->Add(": ");
|
||||
d->Add(ip.SrcAddr());
|
||||
d->Add("->");
|
||||
d->Add(ip.DstAddr());
|
||||
}
|
||||
}
|
||||
|
||||
} // namespace zeek
|
||||
|
|
|
|||
|
|
@ -125,6 +125,14 @@ public:
|
|||
return l2_valid;
|
||||
}
|
||||
|
||||
/**
|
||||
* Signals that the processing of layer 2 failed.
|
||||
*/
|
||||
void InvalidateLayer2()
|
||||
{
|
||||
l2_valid = false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Interprets the Layer 3 of the packet as IP and returns a
|
||||
* corresponding object.
|
||||
|
|
@ -140,11 +148,6 @@ public:
|
|||
[[deprecated("Remove in v4.1. Use ToRawPktHdrval() instead.")]]
|
||||
RecordVal* BuildPktHdrVal() const;
|
||||
|
||||
/**
|
||||
* Describes the packet, with standard signature.
|
||||
*/
|
||||
void Describe(ODesc* d) const;
|
||||
|
||||
/**
|
||||
* Maximal length of a layer 2 address.
|
||||
*/
|
||||
|
|
@ -221,6 +224,17 @@ public:
|
|||
*/
|
||||
bool l3_checksummed;
|
||||
|
||||
/**
|
||||
* Indicates whether the packet should be processed by zeek's
|
||||
* session analysis in NetSessions.
|
||||
*/
|
||||
bool session_analysis = false;
|
||||
|
||||
/**
|
||||
* Indicates whether this packet should be recorded.
|
||||
*/
|
||||
mutable bool dump_packet = false;
|
||||
|
||||
// Wrapper to generate a packet-level weird. Has to be public for packet analyzers to use it.
|
||||
void Weird(const char* name);
|
||||
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const
|
|||
return dispatcher.Lookup(identifier);
|
||||
}
|
||||
|
||||
AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
|
||||
bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
|
||||
uint32_t identifier) const
|
||||
{
|
||||
auto inner_analyzer = Lookup(identifier);
|
||||
|
|
@ -69,7 +69,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet*
|
|||
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.",
|
||||
GetAnalyzerName(), identifier);
|
||||
packet->Weird("no_suitable_analyzer_found");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.",
|
||||
|
|
@ -77,7 +77,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet*
|
|||
return inner_analyzer->AnalyzePacket(len, data, packet);
|
||||
}
|
||||
|
||||
AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const
|
||||
bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const
|
||||
{
|
||||
if ( default_analyzer )
|
||||
return default_analyzer->AnalyzePacket(len, data, packet);
|
||||
|
|
@ -85,7 +85,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet*
|
|||
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.",
|
||||
GetAnalyzerName());
|
||||
packet->Weird("no_suitable_analyzer_found");
|
||||
return AnalyzerResult::Terminate;
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -8,15 +8,8 @@
|
|||
namespace zeek::packet_analysis {
|
||||
|
||||
/**
|
||||
* Result of packet analysis.
|
||||
* Main packet analyzer interface.
|
||||
*/
|
||||
enum class AnalyzerResult {
|
||||
Failed, // Analysis failed
|
||||
Terminate // Analysis succeeded and there is no further analysis to do
|
||||
};
|
||||
|
||||
using AnalysisResultTuple = std::tuple<AnalyzerResult, uint32_t>;
|
||||
|
||||
class Analyzer {
|
||||
public:
|
||||
/**
|
||||
|
|
@ -93,9 +86,9 @@ public:
|
|||
* @param data Pointer to the input to process.
|
||||
* @param packet Object that maintains the packet's meta data.
|
||||
*
|
||||
* @return The outcome of the analysis.
|
||||
* @return false if the analysis failed, else true.
|
||||
*/
|
||||
virtual AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data,
|
||||
virtual bool AnalyzePacket(size_t len, const uint8_t* data,
|
||||
Packet* packet) = 0;
|
||||
|
||||
protected:
|
||||
|
|
@ -119,9 +112,9 @@ protected:
|
|||
* @param data Reference to the payload pointer into the raw packet.
|
||||
* @param identifier The identifier of the encapsulated protocol.
|
||||
*
|
||||
* @return The outcome of the analysis.
|
||||
* @return false if the analysis failed, else true.
|
||||
*/
|
||||
AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
|
||||
bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
|
||||
uint32_t identifier) const;
|
||||
|
||||
/**
|
||||
|
|
@ -131,9 +124,9 @@ protected:
|
|||
* @param packet The packet to analyze.
|
||||
* @param data Reference to the payload pointer into the raw packet.
|
||||
*
|
||||
* @return The outcome of the analysis.
|
||||
* @return false if the analysis failed, else true.
|
||||
*/
|
||||
AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;
|
||||
bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;
|
||||
|
||||
private:
|
||||
Tag tag;
|
||||
|
|
|
|||
|
|
@ -128,7 +128,8 @@ void Manager::ProcessPacket(Packet* packet)
|
|||
return;
|
||||
}
|
||||
|
||||
auto result = analyzer->AnalyzePacket(packet->cap_len, packet->data, packet);
|
||||
if ( ! analyzer->AnalyzePacket(packet->cap_len, packet->data, packet) )
|
||||
packet->InvalidateLayer2();
|
||||
}
|
||||
|
||||
AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag)
|
||||
|
|
|
|||
|
|
@ -81,8 +81,7 @@ ARPAnalyzer::ARPAnalyzer()
|
|||
#define ARPOP_INVREPLY ARPOP_InREPLY
|
||||
#endif
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
packet->l3_proto = L3_ARP;
|
||||
|
||||
|
|
@ -90,7 +89,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
|
|||
if ( sizeof(struct arp_pkthdr) > len )
|
||||
{
|
||||
packet->Weird("truncated_ARP");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check whether the packet is OK ("inspired" in tcpdump's print-arp.c).
|
||||
|
|
@ -101,7 +100,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
|
|||
if ( min_length > len )
|
||||
{
|
||||
packet->Weird("truncated_ARP");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check the address description fields.
|
||||
|
|
@ -112,7 +111,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
|
|||
// don't know how to handle the opcode
|
||||
BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)",
|
||||
ntohs(ah->ar_hrd), ah->ar_hln);
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
break;
|
||||
|
||||
|
|
@ -120,7 +119,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
|
|||
{
|
||||
// don't know how to proceed
|
||||
BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd));
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -132,7 +131,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
|
|||
// don't know how to handle the opcode
|
||||
BadARPEvent(ah,"corrupt-arp-header (pro=%i, pln=%i)",
|
||||
ntohs(ah->ar_pro), ah->ar_pln);
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
break;
|
||||
|
||||
|
|
@ -140,7 +139,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
|
|||
{
|
||||
// don't know how to proceed
|
||||
BadARPEvent(ah,"unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro));
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -149,7 +148,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
|
|||
if ( memcmp(packet->l2_src, ar_sha(ah), ah->ar_hln) != 0 )
|
||||
{
|
||||
BadARPEvent(ah, "weird-arp-sha");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check the code is supported.
|
||||
|
|
@ -171,20 +170,20 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len,
|
|||
{
|
||||
// don't know how to handle the opcode
|
||||
BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op));
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
default:
|
||||
{
|
||||
// invalid opcode
|
||||
BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op));
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Leave packet analyzer land
|
||||
return AnalyzerResult::Terminate;
|
||||
return true;
|
||||
}
|
||||
|
||||
zeek::AddrValPtr ARPAnalyzer::ToAddrVal(const void* addr)
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ public:
|
|||
ARPAnalyzer();
|
||||
~ARPAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -31,15 +31,14 @@ zeek::packet_analysis::AnalyzerPtr EthernetAnalyzer::LoadAnalyzer(const std::str
|
|||
return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal());
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
// Make sure that we actually got an entire ethernet header before trying
|
||||
// to pull bytes out of it.
|
||||
if ( 16 >= len )
|
||||
{
|
||||
packet->Weird("truncated_ethernet_frame");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Skip past Cisco FabricPath to encapsulated ethernet frame.
|
||||
|
|
@ -50,7 +49,7 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len
|
|||
if ( cfplen + 14 >= len )
|
||||
{
|
||||
packet->Weird("truncated_link_header_cfp");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
data += cfplen;
|
||||
|
|
@ -74,7 +73,7 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len
|
|||
if ( 16 >= len )
|
||||
{
|
||||
packet->Weird("truncated_ethernet_frame");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Let specialized analyzers take over for non Ethernet II frames.
|
||||
|
|
@ -95,10 +94,10 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len
|
|||
if ( eth_analyzer )
|
||||
return eth_analyzer->AnalyzePacket(len, data, packet);
|
||||
|
||||
return AnalyzerResult::Terminate;
|
||||
return true;
|
||||
}
|
||||
|
||||
// Undefined (1500 < EtherType < 1536)
|
||||
packet->Weird("undefined_ether_type");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ public:
|
|||
~EthernetAnalyzer() override = default;
|
||||
|
||||
void Initialize() override;
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,15 +10,14 @@ FDDIAnalyzer::FDDIAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool FDDIAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
size_t hdr_size = 13 + 8; // FDDI header + LLC
|
||||
|
||||
if ( hdr_size >= len )
|
||||
{
|
||||
packet->Weird("FDDI_analyzer_failed");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// We just skip the header and hope for default analysis
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
FDDIAnalyzer();
|
||||
~FDDIAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,26 +10,25 @@ IEEE802_11Analyzer::IEEE802_11Analyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
u_char len_80211 = 24; // minimal length of data frames
|
||||
|
||||
if ( len_80211 >= len )
|
||||
{
|
||||
packet->Weird("truncated_802_11_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
u_char fc_80211 = data[0]; // Frame Control field
|
||||
|
||||
// Skip non-data frame types (management & control).
|
||||
if ( ! ((fc_80211 >> 2) & 0x02) )
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
|
||||
// Skip subtypes without data.
|
||||
if ( (fc_80211 >> 4) & 0x04 )
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
|
||||
// 'To DS' and 'From DS' flags set indicate use of the 4th
|
||||
// address field.
|
||||
|
|
@ -42,7 +41,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l
|
|||
// Skip in case of A-MSDU subframes indicated by QoS
|
||||
// control field.
|
||||
if ( data[len_80211] & 0x80 )
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
|
||||
len_80211 += 2;
|
||||
}
|
||||
|
|
@ -50,7 +49,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l
|
|||
if ( len_80211 >= len )
|
||||
{
|
||||
packet->Weird("truncated_802_11_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Determine link-layer addresses based
|
||||
|
|
@ -85,7 +84,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l
|
|||
if ( len_80211 >= len )
|
||||
{
|
||||
packet->Weird("truncated_802_11_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check that the DSAP and SSAP are both SNAP and that the control
|
||||
|
|
@ -102,7 +101,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l
|
|||
// If this is a logical link control frame without the
|
||||
// possibility of having a protocol we care about, we'll
|
||||
// just skip it for now.
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
uint32_t protocol = (data[0] << 8) + data[1];
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
IEEE802_11Analyzer();
|
||||
~IEEE802_11Analyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -12,13 +12,12 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
if ( 3 >= len )
|
||||
{
|
||||
packet->Weird("truncated_radiotap_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Skip over the RadioTap header
|
||||
|
|
@ -27,7 +26,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::AnalyzePacket(si
|
|||
if ( rtheader_len >= len )
|
||||
{
|
||||
packet->Weird("truncated_radiotap_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
return ForwardPacket(len - rtheader_len, data + rtheader_len, packet, DLT_IEEE802_11);
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
IEEE802_11_RadioAnalyzer();
|
||||
~IEEE802_11_RadioAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,14 +10,13 @@ IPAnalyzer::IPAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult IPAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
// Assume we're pointing at IP. Just figure out which version.
|
||||
if ( sizeof(struct ip) >= len )
|
||||
{
|
||||
packet->Weird("packet_analyzer_truncated_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
auto ip = (const struct ip *)data;
|
||||
|
|
@ -29,7 +28,7 @@ zeek::packet_analysis::AnalyzerResult IPAnalyzer::AnalyzePacket(size_t len,
|
|||
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.",
|
||||
GetAnalyzerName(), protocol);
|
||||
packet->Weird("no_suitable_analyzer_found");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.",
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
IPAnalyzer();
|
||||
~IPAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -9,12 +9,12 @@ IPv4Analyzer::IPv4Analyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult IPv4Analyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool IPv4Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
packet->l3_proto = L3_IPV4;
|
||||
packet->hdr_size = static_cast<uint32_t>(data - packet->data);
|
||||
packet->session_analysis = true;
|
||||
|
||||
// Leave packet analyzer land
|
||||
return AnalyzerResult::Terminate;
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
IPv4Analyzer();
|
||||
~IPv4Analyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -9,12 +9,12 @@ IPv6Analyzer::IPv6Analyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult IPv6Analyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool IPv6Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
packet->l3_proto = L3_IPV6;
|
||||
packet->hdr_size = static_cast<uint32_t>(data - packet->data);
|
||||
packet->session_analysis = true;
|
||||
|
||||
// Leave packet analyzer land
|
||||
return AnalyzerResult::Terminate;
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
IPv6Analyzer();
|
||||
~IPv6Analyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -9,14 +9,13 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
auto len_sll_hdr = sizeof(SLLHeader);
|
||||
if ( len_sll_hdr >= len )
|
||||
{
|
||||
packet->Weird("truncated_Linux_SLL_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
//TODO: Handle different ARPHRD_types
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
LinuxSLLAnalyzer();
|
||||
~LinuxSLLAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -9,8 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
// Skip the MPLS label stack.
|
||||
bool end_of_stack = false;
|
||||
|
|
@ -20,7 +19,7 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len,
|
|||
if ( 4 >= len )
|
||||
{
|
||||
packet->Weird("truncated_link_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
end_of_stack = *(data + 2u) & 0x01;
|
||||
|
|
@ -34,7 +33,7 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len,
|
|||
if ( sizeof(struct ip) >= len )
|
||||
{
|
||||
packet->Weird("no_ip_in_mpls_payload");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
auto ip = (const struct ip*)data;
|
||||
|
|
@ -47,9 +46,10 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len,
|
|||
{
|
||||
// Neither IPv4 nor IPv6.
|
||||
packet->Weird("no_ip_in_mpls_payload");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
packet->hdr_size = (data - packet->data);
|
||||
return AnalyzerResult::Terminate;
|
||||
packet->session_analysis = true;
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
MPLSAnalyzer();
|
||||
~MPLSAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,13 +10,12 @@ NFLogAnalyzer::NFLogAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
if ( 4 >= len )
|
||||
{
|
||||
packet->Weird("truncated_nflog_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html
|
||||
|
|
@ -26,7 +25,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len,
|
|||
if ( version != 0 )
|
||||
{
|
||||
packet->Weird("unknown_nflog_version");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Skip to TLVs.
|
||||
|
|
@ -41,7 +40,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len,
|
|||
if ( 4 >= len )
|
||||
{
|
||||
packet->Weird("nflog_no_pcap_payload");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// TLV Type and Length values are specified in host byte order
|
||||
|
|
@ -69,7 +68,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len,
|
|||
if ( tlv_len < 4 )
|
||||
{
|
||||
packet->Weird("nflog_bad_tlv_len");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
NFLogAnalyzer();
|
||||
~NFLogAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,13 +10,12 @@ NullAnalyzer::NullAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult NullAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool NullAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
if ( 4 >= len )
|
||||
{
|
||||
packet->Weird("null_analyzer_failed");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0];
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
NullAnalyzer();
|
||||
~NullAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,13 +10,12 @@ PPPSerialAnalyzer::PPPSerialAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool PPPSerialAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
if ( 4 >= len )
|
||||
{
|
||||
packet->Weird("truncated_ppp_serial_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Extract protocol identifier
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
PPPSerialAnalyzer();
|
||||
~PPPSerialAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,13 +10,12 @@ PPPoEAnalyzer::PPPoEAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool PPPoEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
if ( 8 >= len )
|
||||
{
|
||||
packet->Weird("truncated_pppoe_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
// Extract protocol identifier
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
PPPoEAnalyzer();
|
||||
~PPPoEAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -19,8 +19,7 @@ void SkipAnalyzer::Initialize()
|
|||
skip_bytes = skip_val->AsCount();
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult SkipAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool SkipAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
return ForwardPacket(len - skip_bytes, data + skip_bytes, packet);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ public:
|
|||
~SkipAnalyzer() override = default;
|
||||
|
||||
void Initialize() override;
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,13 +10,12 @@ VLANAnalyzer::VLANAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult VLANAnalyzer::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
||||
{
|
||||
if ( 4 >= len )
|
||||
{
|
||||
packet->Weird("truncated_VLAN_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
VLANAnalyzer();
|
||||
~VLANAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
|
||||
{
|
||||
// Unfortunately some packets on the link might have MPLS labels
|
||||
// while others don't. That means we need to ask the link-layer if
|
||||
|
|
@ -27,7 +27,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
|
|||
if ( data + cfplen + 14 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_link_header_cfp");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
data += cfplen;
|
||||
|
|
@ -57,7 +57,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
|
|||
if ( data + 4 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_link_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan;
|
||||
|
|
@ -75,7 +75,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
|
|||
if ( data + 8 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_link_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
protocol = (data[6] << 8u) + data[7];
|
||||
|
|
@ -89,7 +89,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
|
|||
{
|
||||
// Neither IPv4 nor IPv6.
|
||||
packet->Weird("non_ip_packet_in_pppoe_encapsulation");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
|
@ -113,7 +113,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
|
|||
{
|
||||
// Neither IPv4 nor IPv6.
|
||||
packet->Weird("non_ip_packet_in_ethernet");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -127,7 +127,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
|
|||
if ( data + 4 >= end_of_data )
|
||||
{
|
||||
packet->Weird("truncated_link_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
end_of_stack = *(data + 2u) & 0x01;
|
||||
|
|
@ -138,7 +138,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
|
|||
if ( data + sizeof(struct ip) >= end_of_data )
|
||||
{
|
||||
packet->Weird("no_ip_in_mpls_payload");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
const struct ip* ip = (const struct ip*)data;
|
||||
|
|
@ -151,7 +151,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c
|
|||
{
|
||||
// Neither IPv4 nor IPv6.
|
||||
packet->Weird("no_ip_in_mpls_payload");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public:
|
|||
WrapperAnalyzer();
|
||||
~WrapperAnalyzer() override = default;
|
||||
|
||||
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
bool Analyze(Packet* packet, const uint8_t*& data) override;
|
||||
|
||||
static zeek::packet_analysis::AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -10,14 +10,14 @@ Bar::Bar()
|
|||
{
|
||||
}
|
||||
|
||||
zeek::packet_analysis::AnalyzerResult Bar::AnalyzePacket(size_t len,
|
||||
bool Bar::AnalyzePacket(size_t len,
|
||||
const uint8_t* data, Packet* packet)
|
||||
{
|
||||
// Rudimentary parsing of 802.2 LLC
|
||||
if ( 17 >= len )
|
||||
{
|
||||
packet->Weird("truncated_llc_header");
|
||||
return AnalyzerResult::Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
auto dsap = data[14];
|
||||
|
|
@ -29,5 +29,5 @@ zeek::packet_analysis::AnalyzerResult Bar::AnalyzePacket(size_t len,
|
|||
val_mgr->Count(ssap),
|
||||
val_mgr->Count(control));
|
||||
|
||||
return AnalyzerResult::Terminate;
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ public:
|
|||
Bar();
|
||||
~Bar() override = default;
|
||||
|
||||
AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
|
||||
|
||||
static AnalyzerPtr Instantiate()
|
||||
{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue