Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Set ip_proto when creating new tunnel encapsulations

Browse source
This commit is contained in:
Tim Wojtulewicz 2025-03-06 09:25:03 -07:00
parent 86fd9c4e0d
commit 479c4be08b
5 changed files with 33 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

15
src/TunnelEncapsulation.h
View file

@ -40,15 +40,22 @@ public:
* @param d The tunnel destination address, likely taken from an IP header. * @param d The tunnel destination address, likely taken from an IP header.
* @param t The type of IP tunnel. * @param t The type of IP tunnel.
*/ */
EncapsulatingConn(const IPAddr& s, const IPAddr& d, BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP) EncapsulatingConn(const IPAddr& s, const IPAddr& d, BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP,
uint16_t ip_proto = UNKNOWN_IP_PROTO)
: src_addr(s), : src_addr(s),
dst_addr(d), dst_addr(d),
src_port(0), src_port(0),
dst_port(0), dst_port(0),
proto(TRANSPORT_UNKNOWN), ip_proto(ip_proto),
ip_proto(UNKNOWN_IP_PROTO),
type(t), type(t),
uid(UID(detail::bits_per_uid)) {} uid(UID(detail::bits_per_uid)) {
switch ( ip_proto ) {
case IPPROTO_ICMP: proto = TRANSPORT_ICMP; break;
case IPPROTO_UDP: proto = TRANSPORT_UDP; break;
case IPPROTO_TCP: proto = TRANSPORT_TCP; break;
default: proto = TRANSPORT_UNKNOWN; break;
}
}
/** /**
* Construct a tunnel connection using information from an already existing * Construct a tunnel connection using information from an already existing

3
src/packet_analysis/protocol/iptunnel/IPTunnel.cc
View file

@ -60,7 +60,8 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
IPTunnelMap::iterator tunnel_it = ip_tunnels.find(tunnel_idx); IPTunnelMap::iterator tunnel_it = ip_tunnels.find(tunnel_idx);
if ( tunnel_it == ip_tunnels.end() ) { if ( tunnel_it == ip_tunnels.end() ) {
EncapsulatingConn ec(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr(), tunnel_type); EncapsulatingConn ec(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr(), tunnel_type,
packet->ip_hdr->NextProto());
ip_tunnels[tunnel_idx] = TunnelActivity(ec, run_state::network_time); ip_tunnels[tunnel_idx] = TunnelActivity(ec, run_state::network_time);
zeek::detail::timer_mgr->Add(new detail::IPTunnelTimer(run_state::network_time, tunnel_idx, this)); zeek::detail::timer_mgr->Add(new detail::IPTunnelTimer(run_state::network_time, tunnel_idx, this));
} }

2
testing/btest/Baseline/core.tunnels.gre-erspan3-dot1q/out
View file

@ -2,5 +2,5 @@
echo request, 43, 4 echo request, 43, 4
echo reply, 43, 4 echo reply, 43, 4
[orig_h=172.31.10.31, orig_p=8/icmp, resp_h=172.31.10.2, resp_p=0/icmp, proto=1] [orig_h=172.31.10.31, orig_p=8/icmp, resp_h=172.31.10.2, resp_p=0/icmp, proto=1]
[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=47], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]]
vlans 10, nil vlans 10, nil

16
testing/btest/Baseline/core.tunnels.ip-in-ip/output
View file

@ -1,23 +1,23 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]] encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp, proto=6] conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp, proto=6]
encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=4], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp, proto=17] conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=4], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
tunnel_changed: tunnel_changed:
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]] new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]]

22
testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output
View file

@ -1,34 +1,34 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]