From 4e99d3a606892c4ca390c18f855c910fa06ffc72 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 22 Mar 2013 12:38:43 -0400
Subject: [PATCH] Add support for 802.1ah (Q-in-Q).

---
 src/PktSrc.cc                               |   8 ++++++++
 testing/btest/Baseline/core.q-in-q/conn.log |  11 +++++++++++
 testing/btest/Traces/q-in-q.trace           | Bin 0 -> 960 bytes
 testing/btest/core/q-in-q.bro               |   2 ++
 4 files changed, 21 insertions(+)
 create mode 100644 testing/btest/Baseline/core.q-in-q/conn.log
 create mode 100644 testing/btest/Traces/q-in-q.trace
 create mode 100644 testing/btest/core/q-in-q.bro

diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index 2e6953f7f8..fac2d11e98 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -231,6 +231,14 @@ void PktSrc::Process()
 				data += get_link_header_size(datalink);
 				data += 4; // Skip the vlan header
 				pkt_hdr_size = 0;
+
+				// Check for 802.1ah (Q-in-Q) containing IP.
+				// Only do a second layer of vlan tag 
+				// stripping because there is no 
+				// specification that allows for deeper nesting.
+				if ( ((data[2] << 8) + data[3]) == 0x0800 )
+					data += 4;
+
 				break;
 
 			// PPPoE carried over the ethernet frame.
diff --git a/testing/btest/Baseline/core.q-in-q/conn.log b/testing/btest/Baseline/core.q-in-q/conn.log
new file mode 100644
index 0000000000..00b1b9894f
--- /dev/null
+++ b/testing/btest/Baseline/core.q-in-q/conn.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2013-03-22-16-36-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1363900699.548138	UWkUyAuUGXf	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	0	D	2	92	0	0	(empty)
+1363900699.549647	arKYeMETxOg	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	0	D	2	608	0	0	(empty)
+#close	2013-03-22-16-36-54
diff --git a/testing/btest/Traces/q-in-q.trace b/testing/btest/Traces/q-in-q.trace
new file mode 100644
index 0000000000000000000000000000000000000000..39969c80632c23b4862bd90fb1799f347e00bb40
GIT binary patch
literal 960
zcmca|c+)~A1{MYw`2U}Qff2}&uJjJnisfK%0kT2(KNv6^c*3ajwvmB>7l^qy7+e_`
z^xUU0FgOU7%v&RDtO~^TyAJF+z#z5rRwFlq5TgRny#E3mT+)$J(vcuD`)FV$e=-My
z8_>}p%*YVORR52Ip`ME&2-%&C20&LbunNwsJIJ`p<^fQR+GMrKj56mE6o8sQVu=L>
zIho0cC7Jno`o$>)3}v<kyj=OVx(Y_d=0@gbMwSMq3WmmJ1_tIvCdLK|o_-3R0VWED
zmd1L9dWIHedS*c7#kT&LMX8C&86}Cu3eNetxtS#;si_LeCcIpk$WqC0siOS+T%f!{
zPG(uELV0RZa$<1_FITcH)OaIfV?7g~@s@hV7W#%}yj)4Pj=@&OMi%D0TqU-~re>A~
zW`;&amI^@26KxYqOEU6{tUO#D^HPDPB-&=DR+gs}TX`0x<|O8&=qPv=Wfo`XC<Nr^
zWR_$m7xQxE+LmReq~<Fa8X24D8!D8h6et)Q^KyY=Y8JLo<z_A)4OL1)b!HKIo_cWF
kFHVXN9;$2%j2sMXEDVeg@dhTn$H43d1VGjl2n(4608DTO7ytkO

literal 0
HcmV?d00001

diff --git a/testing/btest/core/q-in-q.bro b/testing/btest/core/q-in-q.bro
new file mode 100644
index 0000000000..7444e7b458
--- /dev/null
+++ b/testing/btest/core/q-in-q.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/q-in-q.trace
+# @TEST-EXEC: btest-diff conn.log