Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Simplify PBB analyzer by using Ethernet analyzer

Browse source 
After the first 4 bytes, this traffic actually just looks like Ethernet.
Rather than try to re-implement the ethernet analyzer, just check the
length, skip 4 bytes, and pass it on.
This commit is contained in:
Eldon Koyle 2023-02-16 08:19:30 -07:00
parent 1e73716172
commit 56aa03031d
3 changed files with 8 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/packet_analysis/protocol/pbb/PBB.cc
View file

@ -6,8 +6,8 @@ using namespace zeek::packet_analysis::PBB;
constexpr int PBB_LEN = 18;
constexpr int PBB_C_DST_OFF = 4;
constexpr int PBB_C_SRC_OFF = 10;
constexpr int PBB_ETYPE_OFF = 16;
constexpr int PROTO_TEB = 0x6558;
PBBAnalyzer::PBBAnalyzer() : zeek::packet_analysis::Analyzer("PBB") { }
@ -19,10 +19,6 @@ bool PBBAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
}
uint32_t protocol = ((data[PBB_ETYPE_OFF] << 8u) + data[PBB_ETYPE_OFF + 1u]);
packet->eth_type = protocol;
packet->l2_dst = data + PBB_C_DST_OFF;
packet->l2_src = data + PBB_C_SRC_OFF;
// Skip the PBB header
return ForwardPacket(len - PBB_LEN, data + PBB_LEN, packet, protocol);
// this looks an awful lot like ethernet from here on out
return ForwardPacket(len - PBB_C_DST_OFF, data + PBB_C_DST_OFF, packet, PROTO_TEB);
}