Merge remote-tracking branch 'origin/topic/johanna/pppoe-session-id-logging'

* origin/topic/johanna/pppoe-session-id-logging: Update external tests for pppoe-session-id conn.log changes PPPoE: add session id logging
2025-10-17 05:58:20 +00:00 · 2025-07-24 07:51:03 +01:00 · 2025-07-24 07:51:03 +01:00 · 4399f171ae
commit 4399f171ae
parent 106831bc62 9ab7b768c6
15 changed files with 91 additions and 5 deletions
--- a/src/packet_analysis/protocol/pppoe/CMakeLists.txt
+++ b/src/packet_analysis/protocol/pppoe/CMakeLists.txt
@ -1,3 +1,4 @@
 zeek_add_plugin(
-    PacketAnalyzer PPPoE
-    SOURCES PPPoE.cc Plugin.cc)
+    Zeek PPPoE
+    SOURCES PPPoE.cc Plugin.cc
+    BIFS functions.bif)
--- a/src/packet_analysis/protocol/pppoe/functions.bif
+++ b/src/packet_analysis/protocol/pppoe/functions.bif
@ -0,0 +1,22 @@
+module PacketAnalyzer::PPPoE;
+
+%%{
+#include "zeek/packet_analysis/Manager.h"
+%%}
+
+## Returns the PPPoE Session ID of the current packet, if present.
+##
+## If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
+## is out of range of the session ID.
+##
+## Returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.
+function session_id%(%): count
+	%{
+	static const auto& analyzer = zeek::packet_mgr->GetAnalyzer("PPPoE");
+	auto spans = zeek::packet_mgr->GetAnalyzerData(analyzer);
+
+	if ( spans.size() == 0 || spans[0].size() <=8 )
+		return zeek::val_mgr->Count(0xFFFFFFFF);
+
+	return zeek::val_mgr->Count((spans[0][2] << 8u) + spans[0][3]);
+	%}